build-appliance-image: Update to kirkstone head revision

(From OE-Core rev: fbdf93f43ff4b876487e1f26752598ec8abcb46e) Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
poky.conf: bump version for 4.0.5
2026-02-21 00:49:41 +01:00 · 2022-10-29 16:33:03 +01:00 · 2022-10-29 16:32:24 +01:00 · 2022-10-29 16:32:24 +01:00 · 2022-10-29 16:32:24 +01:00 · 2022-10-29 16:32:24 +01:00
352 changed files with 18991 additions and 1264 deletions
--- a/bitbake/bin/bitbake-prserv
+++ b/bitbake/bin/bitbake-prserv
@@ -1,5 +1,7 @@
 #!/usr/bin/env python3
 #
+# Copyright BitBake Contributors
+#
 # SPDX-License-Identifier: GPL-2.0-only
 #

--- a/bitbake/bin/bitbake-worker
+++ b/bitbake/bin/bitbake-worker
@@ -1,5 +1,7 @@
 #!/usr/bin/env python3
 #
+# Copyright BitBake Contributors
+#
 # SPDX-License-Identifier: GPL-2.0-only
 #

--- a/bitbake/bin/git-make-shallow
+++ b/bitbake/bin/git-make-shallow
@@ -1,5 +1,7 @@
 #!/usr/bin/env python3
 #
+# Copyright BitBake Contributors
+#
 # SPDX-License-Identifier: GPL-2.0-only
 #

--- a/bitbake/doc/bitbake-user-manual/bitbake-user-manual-fetching.rst
+++ b/bitbake/doc/bitbake-user-manual/bitbake-user-manual-fetching.rst
@@ -688,6 +688,8 @@ Here is an example URL::

 It can also be used when setting mirrors definitions using the :term:`PREMIRRORS` variable.

+.. _crate-fetcher:
+
 Crate Fetcher (``crate://``)
 ----------------------------

@@ -704,6 +706,80 @@ Here is an example URL::

   SRC_URI = "crate://crates.io/glob/0.2.11"

+.. _npm-fetcher:
+
+NPM Fetcher (``npm://``)
+------------------------
+
+This submodule fetches source code from an
+`NPM <https://en.wikipedia.org/wiki/Npm_(software)>`__
+Javascript package registry.
+
+The format for the :term:`SRC_URI` setting must be::
+
+   SRC_URI = "npm://some.registry.url;ParameterA=xxx;ParameterB=xxx;..."
+
+This fetcher supports the following parameters:
+
+-  *"package":* The NPM package name. This is a mandatory parameter.
+
+-  *"version":* The NPM package version. This is a mandatory parameter.
+
+-  *"downloadfilename":* Specifies the filename used when storing the downloaded file.
+
+-  *"destsuffix":* Specifies the directory to use to unpack the package (default: ``npm``).
+
+Note that NPM fetcher only fetches the package source itself. The dependencies
+can be fetched through the `npmsw-fetcher`_.
+
+Here is an example URL with both fetchers::
+
+   SRC_URI = " \
+       npm://registry.npmjs.org/;package=cute-files;version=${PV} \
+       npmsw://${THISDIR}/${BPN}/npm-shrinkwrap.json \
+       "
+
+See :yocto_docs:`Creating Node Package Manager (NPM) Packages
+</dev-manual/common-tasks.html#creating-node-package-manager-npm-packages>`
+in the Yocto Project manual for details about using
+:yocto_docs:`devtool <https://docs.yoctoproject.org/ref-manual/devtool-reference.html>`
+to automatically create a recipe from an NPM URL.
+
+.. _npmsw-fetcher:
+
+NPM shrinkwrap Fetcher (``npmsw://``)
+-------------------------------------
+
+This submodule fetches source code from an
+`NPM shrinkwrap <https://docs.npmjs.com/cli/v8/commands/npm-shrinkwrap>`__
+description file, which lists the dependencies
+of an NPM package while locking their versions.
+
+The format for the :term:`SRC_URI` setting must be::
+
+   SRC_URI = "npmsw://some.registry.url;ParameterA=xxx;ParameterB=xxx;..."
+
+This fetcher supports the following parameters:
+
+-  *"dev":* Set this parameter to ``1`` to install "devDependencies".
+
+-  *"destsuffix":* Specifies the directory to use to unpack the dependencies
+   (``${S}`` by default).
+
+Note that the shrinkwrap file can also be provided by the recipe for
+the package which has such dependencies, for example::
+
+   SRC_URI = " \
+       npm://registry.npmjs.org/;package=cute-files;version=${PV} \
+       npmsw://${THISDIR}/${BPN}/npm-shrinkwrap.json \
+       "
+
+Such a file can automatically be generated using
+:yocto_docs:`devtool <https://docs.yoctoproject.org/ref-manual/devtool-reference.html>`
+as described in the :yocto_docs:`Creating Node Package Manager (NPM) Packages
+</dev-manual/common-tasks.html#creating-node-package-manager-npm-packages>`
+section of the Yocto Project.
+
 Other Fetchers
 --------------

@@ -713,8 +789,6 @@ Fetch submodules also exist for the following:

 -  Mercurial (``hg://``)

-  npm (``npm://``)
-
 -  OSC (``osc://``)

 -  Secure FTP (``sftp://``)
--- a/bitbake/doc/bitbake-user-manual/bitbake-user-manual-metadata.rst
+++ b/bitbake/doc/bitbake-user-manual/bitbake-user-manual-metadata.rst
@@ -195,22 +195,45 @@ value. However, if ``A`` is not set, the variable is set to "aval".
 Setting a weak default value (??=)
 ----------------------------------

-It is possible to use a "weaker" assignment than in the previous section
-by using the "??=" operator. This assignment behaves identical to "?="
-except that the assignment is made at the end of the parsing process
-rather than immediately. Consequently, when multiple "??=" assignments
-exist, the last one is used. Also, any "=" or "?=" assignment will
-override the value set with "??=". Here is an example::
+The weak default value of a variable is the value which that variable
+will expand to if no value has been assigned to it via any of the other
+assignment operators. The "??=" operator takes effect immediately, replacing
+any previously defined weak default value. Here is an example::

-   A ??= "somevalue"
-   A ??= "someothervalue"
+   W ??= "x"
+   A := "${W}" # Immediate variable expansion
+   W ??= "y"
+   B := "${W}" # Immediate variable expansion
+   W ??= "z"
+   C = "${W}"
+   W ?= "i"

-If ``A`` is set before the above statements are
-parsed, the variable retains its value. If ``A`` is not set, the
-variable is set to "someothervalue".
+After parsing we will have::

-Again, this assignment is a "lazy" or "weak" assignment because it does
-not occur until the end of the parsing process.
+   A = "x"
+   B = "y"
+   C = "i"
+   W = "i"
+
+Appending and prepending non-override style will not substitute the weak
+default value, which means that after parsing::
+
+   W ??= "x"
+   W += "y"
+
+we will have::
+
+   W = " y"
+
+On the other hand, override-style appends/prepends/removes are applied after
+any active weak default value has been substituted::
+
+   W ??= "x"
+   W:append = "y"
+
+After parsing we will have::
+
+   W = "xy"

 Immediate variable expansion (:=)
 ---------------------------------
--- a/bitbake/doc/bitbake-user-manual/bitbake-user-manual-ref-variables.rst
+++ b/bitbake/doc/bitbake-user-manual/bitbake-user-manual-ref-variables.rst
@@ -401,7 +401,7 @@ overview of their function and contents.

      Example usage::

-         BB_HASHSERVE_UPSTREAM = "typhoon.yocto.io:8687"
+         BB_HASHSERVE_UPSTREAM = "hashserv.yocto.io:8687"

   :term:`BB_INVALIDCONF`
      Used in combination with the ``ConfigParsed`` event to trigger
--- a/bitbake/lib/bb/COW.py
+++ b/bitbake/lib/bb/COW.py
@@ -3,6 +3,8 @@
 #
 # Copyright (C) 2006 Tim Ansell
 #
+# SPDX-License-Identifier: GPL-2.0-only
+#
 # Please Note:
 # Be careful when using mutable types (ie Dict and Lists) - operations involving these are SLOW.
 # Assign a file to __warn__ to get warnings about slow operations.
--- a/bitbake/lib/bb/asyncrpc/init.py
+++ b/bitbake/lib/bb/asyncrpc/init.py
@@ -1,4 +1,6 @@
 #
+# Copyright BitBake Contributors
+#
 # SPDX-License-Identifier: GPL-2.0-only
 #

--- a/bitbake/lib/bb/asyncrpc/client.py
+++ b/bitbake/lib/bb/asyncrpc/client.py
@@ -1,4 +1,6 @@
 #
+# Copyright BitBake Contributors
+#
 # SPDX-License-Identifier: GPL-2.0-only
 #

@@ -29,7 +31,17 @@ class AsyncClient(object):

    async def connect_unix(self, path):
        async def connect_sock():
-            return await asyncio.open_unix_connection(path)
+            # AF_UNIX has path length issues so chdir here to workaround
+            cwd = os.getcwd()
+            try:
+                os.chdir(os.path.dirname(path))
+                # The socket must be opened synchronously so that CWD doesn't get
+                # changed out from underneath us so we pass as a sock into asyncio
+                sock = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM, 0)
+                sock.connect(os.path.basename(path))
+            finally:
+               os.chdir(cwd)
+            return await asyncio.open_unix_connection(sock=sock)

        self._connect_sock = connect_sock

@@ -148,14 +160,8 @@ class Client(object):
            setattr(self, m, self._get_downcall_wrapper(downcall))

    def connect_unix(self, path):
-        # AF_UNIX has path length issues so chdir here to workaround
-        cwd = os.getcwd()
-        try:
-            os.chdir(os.path.dirname(path))
-            self.loop.run_until_complete(self.client.connect_unix(os.path.basename(path)))
-            self.loop.run_until_complete(self.client.connect())
-        finally:
-            os.chdir(cwd)
+        self.loop.run_until_complete(self.client.connect_unix(path))
+        self.loop.run_until_complete(self.client.connect())

    @property
    def max_chunk(self):
--- a/bitbake/lib/bb/asyncrpc/serv.py
+++ b/bitbake/lib/bb/asyncrpc/serv.py
@@ -1,4 +1,6 @@
 #
+# Copyright BitBake Contributors
+#
 # SPDX-License-Identifier: GPL-2.0-only
 #

--- a/bitbake/lib/bb/codeparser.py
+++ b/bitbake/lib/bb/codeparser.py
@@ -1,4 +1,6 @@
 #
+# Copyright BitBake Contributors
+#
 # SPDX-License-Identifier: GPL-2.0-only
 #

--- a/bitbake/lib/bb/compress/_pipecompress.py
+++ b/bitbake/lib/bb/compress/_pipecompress.py
@@ -1,4 +1,6 @@
 #
+# Copyright BitBake Contributors
+#
 # SPDX-License-Identifier: GPL-2.0-only
 #
 # Helper library to implement streaming compression and decompression using an
--- a/bitbake/lib/bb/compress/lz4.py
+++ b/bitbake/lib/bb/compress/lz4.py
@@ -1,4 +1,6 @@
 #
+# Copyright BitBake Contributors
+#
 # SPDX-License-Identifier: GPL-2.0-only
 #

--- a/bitbake/lib/bb/compress/zstd.py
+++ b/bitbake/lib/bb/compress/zstd.py
@@ -1,4 +1,6 @@
 #
+# Copyright BitBake Contributors
+#
 # SPDX-License-Identifier: GPL-2.0-only
 #

--- a/bitbake/lib/bb/cooker.py
+++ b/bitbake/lib/bb/cooker.py
@@ -13,7 +13,6 @@ import sys, os, glob, os.path, re, time
 import itertools
 import logging
 import multiprocessing
-import sre_constants
 import threading
 from io import StringIO, UnsupportedOperation
 from contextlib import closing
@@ -1907,7 +1906,7 @@ class CookerCollectFiles(object):
                try:
                    re.compile(mask)
                    bbmasks.append(mask)
-                except sre_constants.error:
+                except re.error:
                    collectlog.critical("BBMASK contains an invalid regular expression, ignoring: %s" % mask)

            # Then validate the combined regular expressions. This should never
@@ -1915,7 +1914,7 @@ class CookerCollectFiles(object):
            bbmask = "|".join(bbmasks)
            try:
                bbmask_compiled = re.compile(bbmask)
-            except sre_constants.error:
+            except re.error:
                collectlog.critical("BBMASK is not a valid regular expression, ignoring: %s" % bbmask)
                bbmask = None

--- a/bitbake/lib/bb/daemonize.py
+++ b/bitbake/lib/bb/daemonize.py
@@ -1,4 +1,6 @@
 #
+# Copyright BitBake Contributors
+#
 # SPDX-License-Identifier: GPL-2.0-only
 #

--- a/bitbake/lib/bb/event.py
+++ b/bitbake/lib/bb/event.py
@@ -132,8 +132,14 @@ def print_ui_queue():
    if not _uiready:
        from bb.msg import BBLogFormatter
        # Flush any existing buffered content
-        sys.stdout.flush()
-        sys.stderr.flush()
+        try:
+            sys.stdout.flush()
+        except:
+            pass
+        try:
+            sys.stderr.flush()
+        except:
+            pass
        stdout = logging.StreamHandler(sys.stdout)
        stderr = logging.StreamHandler(sys.stderr)
        formatter = BBLogFormatter("%(levelname)s: %(message)s")
--- a/bitbake/lib/bb/exceptions.py
+++ b/bitbake/lib/bb/exceptions.py
@@ -1,4 +1,6 @@
 #
+# Copyright BitBake Contributors
+#
 # SPDX-License-Identifier: GPL-2.0-only
 #

--- a/bitbake/lib/bb/fetch2/init.py
+++ b/bitbake/lib/bb/fetch2/init.py
@@ -1097,6 +1097,8 @@ def try_mirror_url(fetch, origud, ud, ld, check = False):

 def ensure_symlink(target, link_name):
    if not os.path.exists(link_name):
+        dirname = os.path.dirname(link_name)
+        bb.utils.mkdirhier(dirname)
        if os.path.islink(link_name):
            # Broken symbolic link
            os.unlink(link_name)
--- a/bitbake/lib/bb/fetch2/gitsm.py
+++ b/bitbake/lib/bb/fetch2/gitsm.py
@@ -88,7 +88,7 @@ class GitSM(Git):
                subrevision[m] = module_hash.split()[2]

                # Convert relative to absolute uri based on parent uri
-                if uris[m].startswith('..'):
+                if  uris[m].startswith('..') or uris[m].startswith('./'):
                    newud = copy.copy(ud)
                    newud.path = os.path.realpath(os.path.join(newud.path, uris[m]))
                    uris[m] = Git._get_repo_url(self, newud)
@@ -115,6 +115,9 @@ class GitSM(Git):
                    # This has to be a file reference
                    proto = "file"
                    url = "gitsm://" + uris[module]
+            if "{}{}".format(ud.host, ud.path) in url:
+                raise bb.fetch2.FetchError("Submodule refers to the parent repository. This will cause deadlock situation in current version of Bitbake." \
+                                           "Consider using git fetcher instead.")

            url += ';protocol=%s' % proto
            url += ";name=%s" % module
--- a/bitbake/lib/bb/fetch2/npm.py
+++ b/bitbake/lib/bb/fetch2/npm.py
@@ -156,7 +156,7 @@ class Npm(FetchMethod):
            raise ParameterError("Invalid 'version' parameter", ud.url)

        # Extract the 'registry' part of the url
-        ud.registry = re.sub(r"^npm://", "http://", ud.url.split(";")[0])
+        ud.registry = re.sub(r"^npm://", "https://", ud.url.split(";")[0])

        # Using the 'downloadfilename' parameter as local filename
        # or the npm package name.
--- a/bitbake/lib/bb/fetch2/osc.py
+++ b/bitbake/lib/bb/fetch2/osc.py
@@ -1,4 +1,6 @@
 #
+# Copyright BitBake Contributors
+#
 # SPDX-License-Identifier: GPL-2.0-only
 #
 """
--- a/bitbake/lib/bb/parse/parse_py/BBHandler.py
+++ b/bitbake/lib/bb/parse/parse_py/BBHandler.py
@@ -178,10 +178,10 @@ def feeder(lineno, s, fn, root, statements, eof=False):

    if s and s[0] == '#':
        if len(__residue__) != 0 and __residue__[0][0] != "#":
-            bb.fatal("There is a comment on line %s of file %s (%s) which is in the middle of a multiline expression.\nBitbake used to ignore these but no longer does so, please fix your metadata as errors are likely as a result of this change." % (lineno, fn, s))
+            bb.fatal("There is a comment on line %s of file %s:\n'''\n%s\n'''\nwhich is in the middle of a multiline expression. This syntax is invalid, please correct it." % (lineno, fn, s))

    if len(__residue__) != 0 and __residue__[0][0] == "#" and (not s or s[0] != "#"):
-        bb.fatal("There is a confusing multiline, partially commented expression on line %s of file %s (%s).\nPlease clarify whether this is all a comment or should be parsed." % (lineno, fn, s))
+        bb.fatal("There is a confusing multiline partially commented expression on line %s of file %s:\n%s\nPlease clarify whether this is all a comment or should be parsed." % (lineno - len(__residue__), fn, "\n".join(__residue__)))

    if s and s[-1] == '\\':
        __residue__.append(s[:-1])
--- a/bitbake/lib/bb/parse/parse_py/ConfHandler.py
+++ b/bitbake/lib/bb/parse/parse_py/ConfHandler.py
@@ -125,16 +125,21 @@ def handle(fn, data, include):
            s = f.readline()
            if not s:
                break
+            origlineno = lineno
+            origline = s
            w = s.strip()
            # skip empty lines
            if not w:
                continue
            s = s.rstrip()
            while s[-1] == '\\':
-                s2 = f.readline().rstrip()
+                line = f.readline()
+                origline += line
+                s2 = line.rstrip()
                lineno = lineno + 1
                if (not s2 or s2 and s2[0] != "#") and s[0] == "#" :
-                    bb.fatal("There is a confusing multiline, partially commented expression on line %s of file %s (%s).\nPlease clarify whether this is all a comment or should be parsed." % (lineno, fn, s))
+                    bb.fatal("There is a confusing multiline, partially commented expression starting on line %s of file %s:\n%s\nPlease clarify whether this is all a comment or should be parsed." % (origlineno, fn, origline))
+
                s = s[:-1] + s2
            # skip comments
            if s[0] == '#':
@@ -147,8 +152,6 @@ def handle(fn, data, include):
    if oldfile:
        data.setVar('FILE', oldfile)

-    f.close()
-
    for f in confFilters:
        f(fn, data)

--- a/bitbake/lib/bb/process.py
+++ b/bitbake/lib/bb/process.py
@@ -1,4 +1,6 @@
 #
+# Copyright BitBake Contributors
+#
 # SPDX-License-Identifier: GPL-2.0-only
 #

--- a/bitbake/lib/bb/runqueue.py
+++ b/bitbake/lib/bb/runqueue.py
@@ -24,6 +24,7 @@ import pickle
 from multiprocessing import Process
 import shlex
 import pprint
+import time

 bblogger = logging.getLogger("BitBake")
 logger = logging.getLogger("BitBake.RunQueue")
@@ -159,6 +160,55 @@ class RunQueueScheduler(object):
                self.buildable.append(tid)

        self.rev_prio_map = None
+        self.is_pressure_usable()
+
+    def is_pressure_usable(self):
+        """
+        If monitoring pressure, return True if pressure files can be open and read. For example
+        openSUSE /proc/pressure/* files have readable file permissions but when read the error EOPNOTSUPP (Operation not supported)
+        is returned.
+        """
+        if self.rq.max_cpu_pressure or self.rq.max_io_pressure or self.rq.max_memory_pressure:
+            try:
+                with open("/proc/pressure/cpu") as cpu_pressure_fds, \
+                    open("/proc/pressure/io") as io_pressure_fds, \
+                    open("/proc/pressure/memory") as memory_pressure_fds:
+
+                    self.prev_cpu_pressure = cpu_pressure_fds.readline().split()[4].split("=")[1]
+                    self.prev_io_pressure = io_pressure_fds.readline().split()[4].split("=")[1]
+                    self.prev_memory_pressure = memory_pressure_fds.readline().split()[4].split("=")[1]
+                    self.prev_pressure_time = time.time()
+                self.check_pressure = True
+            except:
+                bb.note("The /proc/pressure files can't be read. Continuing build without monitoring pressure")
+                self.check_pressure = False
+        else:
+            self.check_pressure = False
+
+    def exceeds_max_pressure(self):
+        """
+        Monitor the difference in total pressure at least once per second, if
+        BB_PRESSURE_MAX_{CPU|IO|MEMORY} are set, return True if above threshold.
+        """
+        if self.check_pressure:
+            with open("/proc/pressure/cpu") as cpu_pressure_fds, \
+                open("/proc/pressure/io") as io_pressure_fds, \
+                open("/proc/pressure/memory") as memory_pressure_fds:
+                # extract "total" from /proc/pressure/{cpu|io}
+                curr_cpu_pressure = cpu_pressure_fds.readline().split()[4].split("=")[1]
+                curr_io_pressure = io_pressure_fds.readline().split()[4].split("=")[1]
+                curr_memory_pressure = memory_pressure_fds.readline().split()[4].split("=")[1]
+                exceeds_cpu_pressure =  self.rq.max_cpu_pressure and (float(curr_cpu_pressure) - float(self.prev_cpu_pressure)) > self.rq.max_cpu_pressure
+                exceeds_io_pressure =  self.rq.max_io_pressure and (float(curr_io_pressure) - float(self.prev_io_pressure)) > self.rq.max_io_pressure
+                exceeds_memory_pressure = self.rq.max_memory_pressure and (float(curr_memory_pressure) - float(self.prev_memory_pressure)) > self.rq.max_memory_pressure
+                now = time.time()
+                if now - self.prev_pressure_time > 1.0:
+                    self.prev_cpu_pressure = curr_cpu_pressure
+                    self.prev_io_pressure = curr_io_pressure
+                    self.prev_memory_pressure = curr_memory_pressure
+                    self.prev_pressure_time = now
+            return (exceeds_cpu_pressure or exceeds_io_pressure or exceeds_memory_pressure)
+        return False

    def next_buildable_task(self):
        """
@@ -172,6 +222,12 @@ class RunQueueScheduler(object):
        if not buildable:
            return None

+        # Bitbake requires that at least one task be active. Only check for pressure if
+        # this is the case, otherwise the pressure limitation could result in no tasks
+        # being active and no new tasks started thereby, at times, breaking the scheduler.
+        if self.rq.stats.active and self.exceeds_max_pressure():
+            return None
+
        # Filter out tasks that have a max number of threads that have been exceeded
        skip_buildable = {}
        for running in self.rq.runq_running.difference(self.rq.runq_complete):
@@ -1699,6 +1755,9 @@ class RunQueueExecute:

        self.number_tasks = int(self.cfgData.getVar("BB_NUMBER_THREADS") or 1)
        self.scheduler = self.cfgData.getVar("BB_SCHEDULER") or "speed"
+        self.max_cpu_pressure = self.cfgData.getVar("BB_PRESSURE_MAX_CPU")
+        self.max_io_pressure = self.cfgData.getVar("BB_PRESSURE_MAX_IO")
+        self.max_memory_pressure = self.cfgData.getVar("BB_PRESSURE_MAX_MEMORY")

        self.sq_buildable = set()
        self.sq_running = set()
@@ -1733,6 +1792,29 @@ class RunQueueExecute:
        if self.number_tasks <= 0:
             bb.fatal("Invalid BB_NUMBER_THREADS %s" % self.number_tasks)

+        lower_limit = 1.0
+        upper_limit = 1000000.0
+        if self.max_cpu_pressure:
+            self.max_cpu_pressure = float(self.max_cpu_pressure)
+            if self.max_cpu_pressure < lower_limit:
+                bb.fatal("Invalid BB_PRESSURE_MAX_CPU %s, minimum value is %s." % (self.max_cpu_pressure, lower_limit))
+            if self.max_cpu_pressure > upper_limit:
+                bb.warn("Your build will be largely unregulated since BB_PRESSURE_MAX_CPU is set to %s. It is very unlikely that such high pressure will be experienced." % (self.max_cpu_pressure))
+
+        if self.max_io_pressure:
+            self.max_io_pressure = float(self.max_io_pressure)
+            if self.max_io_pressure < lower_limit:
+                bb.fatal("Invalid BB_PRESSURE_MAX_IO %s, minimum value is %s." % (self.max_io_pressure, lower_limit))
+            if self.max_io_pressure > upper_limit:
+                bb.warn("Your build will be largely unregulated since BB_PRESSURE_MAX_IO is set to %s. It is very unlikely that such high pressure will be experienced." % (self.max_io_pressure))
+
+        if self.max_memory_pressure:
+            self.max_memory_pressure = float(self.max_memory_pressure)
+            if self.max_memory_pressure < lower_limit:
+                bb.fatal("Invalid BB_PRESSURE_MAX_MEMORY %s, minimum value is %s." % (self.max_memory_pressure, lower_limit))
+            if self.max_memory_pressure > upper_limit:
+                bb.warn("Your build will be largely unregulated since BB_PRESSURE_MAX_MEMORY is set to %s. It is very unlikely that such high pressure will be experienced." % (self.max_io_pressure))
+            
        # List of setscene tasks which we've covered
        self.scenequeue_covered = set()
        # List of tasks which are covered (including setscene ones)
@@ -2172,10 +2254,9 @@ class RunQueueExecute:

        # No more tasks can be run. If we have deferred setscene tasks we should run them.
        if self.sq_deferred:
-            tid = self.sq_deferred.pop(list(self.sq_deferred.keys())[0])
-            logger.warning("Runqeueue deadlocked on deferred tasks, forcing task %s" % tid)
-            if tid not in self.runq_complete:
-                self.sq_task_failoutright(tid)
+            deferred_tid = list(self.sq_deferred.keys())[0]
+            blocking_tid = self.sq_deferred.pop(deferred_tid)
+            logger.warning("Runqeueue deadlocked on deferred tasks, forcing task %s blocked by %s" % (deferred_tid, blocking_tid))
            return True

        if self.failed_tids:
@@ -2299,6 +2380,9 @@ class RunQueueExecute:
                    self.rqdata.runtaskentries[hashtid].unihash = unihash
                    bb.parse.siggen.set_unihash(hashtid, unihash)
                    toprocess.add(hashtid)
+                if torehash:
+                    # Need to save after set_unihash above
+                    bb.parse.siggen.save_unitaskhashes()

        # Work out all tasks which depend upon these
        total = set()
@@ -2438,11 +2522,14 @@ class RunQueueExecute:

        if update_tasks:
            self.sqdone = False
-            for tid in [t[0] for t in update_tasks]:
-                h = pending_hash_index(tid, self.rqdata)
-                if h in self.sqdata.hashes and tid != self.sqdata.hashes[h]:
-                    self.sq_deferred[tid] = self.sqdata.hashes[h]
-                    bb.note("Deferring %s after %s" % (tid, self.sqdata.hashes[h]))
+            for mc in sorted(self.sqdata.multiconfigs):
+                for tid in sorted([t[0] for t in update_tasks]):
+                    if mc_from_tid(tid) != mc:
+                        continue
+                    h = pending_hash_index(tid, self.rqdata)
+                    if h in self.sqdata.hashes and tid != self.sqdata.hashes[h]:
+                        self.sq_deferred[tid] = self.sqdata.hashes[h]
+                        bb.note("Deferring %s after %s" % (tid, self.sqdata.hashes[h]))
            update_scenequeue_data([t[0] for t in update_tasks], self.sqdata, self.rqdata, self.rq, self.cooker, self.stampcache, self, summary=False)

        for (tid, harddepfail, origvalid) in update_tasks:
--- a/bitbake/lib/bb/siggen.py
+++ b/bitbake/lib/bb/siggen.py
@@ -1,4 +1,6 @@
 #
+# Copyright BitBake Contributors
+#
 # SPDX-License-Identifier: GPL-2.0-only
 #

@@ -419,7 +421,7 @@ class SignatureGeneratorBasic(SignatureGenerator):
                bb.error("Taskhash mismatch %s versus %s for %s" % (computed_taskhash, self.taskhash[tid], tid))
                sigfile = sigfile.replace(self.taskhash[tid], computed_taskhash)

-        fd, tmpfile = tempfile.mkstemp(dir=os.path.dirname(sigfile), prefix="sigtask.")
+        fd, tmpfile = bb.utils.mkstemp(dir=os.path.dirname(sigfile), prefix="sigtask.")
        try:
            with bb.compress.zstd.open(fd, "wt", encoding="utf-8", num_threads=1) as f:
                json.dump(data, f, sort_keys=True, separators=(",", ":"), cls=SetEncoder)
--- a/bitbake/lib/bb/tests/compression.py
+++ b/bitbake/lib/bb/tests/compression.py
@@ -1,4 +1,6 @@
 #
+# Copyright BitBake Contributors
+#
 # SPDX-License-Identifier: GPL-2.0-only
 #

--- a/bitbake/lib/bb/tests/cooker.py
+++ b/bitbake/lib/bb/tests/cooker.py
@@ -1,6 +1,8 @@
 #
 # BitBake Tests for cooker.py
 #
+# Copyright BitBake Contributors
+#
 # SPDX-License-Identifier: GPL-2.0-only
 #

--- a/bitbake/lib/bb/tests/fetch.py
+++ b/bitbake/lib/bb/tests/fetch.py
@@ -1834,7 +1834,7 @@ class GitShallowTest(FetcherTest):
        self.add_empty_file('bsub', cwd=smdir)

        self.git('submodule init', cwd=self.srcdir)
-        self.git('submodule add file://%s' % smdir, cwd=self.srcdir)
+        self.git('-c protocol.file.allow=always submodule add file://%s' % smdir, cwd=self.srcdir)
        self.git('submodule update', cwd=self.srcdir)
        self.git('commit -m submodule -a', cwd=self.srcdir)

@@ -1864,7 +1864,7 @@ class GitShallowTest(FetcherTest):
        self.add_empty_file('bsub', cwd=smdir)

        self.git('submodule init', cwd=self.srcdir)
-        self.git('submodule add file://%s' % smdir, cwd=self.srcdir)
+        self.git('-c protocol.file.allow=always submodule add file://%s' % smdir, cwd=self.srcdir)
        self.git('submodule update', cwd=self.srcdir)
        self.git('commit -m submodule -a', cwd=self.srcdir)

--- a/bitbake/lib/bb/tests/parse.py
+++ b/bitbake/lib/bb/tests/parse.py
@@ -194,3 +194,26 @@ deltask ${EMPTYVAR}
        self.assertTrue('addtask ignored: " do_patch"' in stdout)
        #self.assertTrue('dependent task do_foo for do_patch does not exist' in stdout)

+    broken_multiline_comment = """
+# First line of comment \\
+# Second line of comment \\
+
+"""
+    def test_parse_broken_multiline_comment(self):
+        f = self.parsehelper(self.broken_multiline_comment)
+        with self.assertRaises(bb.BBHandledException):
+            d = bb.parse.handle(f.name, self.d)['']
+
+
+    comment_in_var = """
+VAR = " \\
+    SOMEVAL \\
+#   some comment \\
+    SOMEOTHERVAL \\
+"
+"""
+    def test_parse_comment_in_var(self):
+        f = self.parsehelper(self.comment_in_var)
+        with self.assertRaises(bb.BBHandledException):
+            d = bb.parse.handle(f.name, self.d)['']
+
--- a/bitbake/lib/bb/utils.py
+++ b/bitbake/lib/bb/utils.py
@@ -28,6 +28,8 @@ import signal
 import collections
 import copy
 import ctypes
+import random
+import tempfile
 from subprocess import getstatusoutput
 from contextlib import contextmanager
 from ctypes import cdll
@@ -429,12 +431,14 @@ def better_eval(source, locals, extraglobals = None):
    return eval(source, ctx, locals)

@contextmanager
-def fileslocked(files):
+def fileslocked(files, *args, **kwargs):
    """Context manager for locking and unlocking file locks."""
    locks = []
    if files:
        for lockfile in files:
-            locks.append(bb.utils.lockfile(lockfile))
+            l = bb.utils.lockfile(lockfile, *args, **kwargs)
+            if l is not None:
+                locks.append(l)

    try:
        yield
@@ -692,8 +696,8 @@ def remove(path, recurse=False, ionice=False):
        return
    if recurse:
        for name in glob.glob(path):
-            if _check_unsafe_delete_path(path):
-                raise Exception('bb.utils.remove: called with dangerous path "%s" and recurse=True, refusing to delete!' % path)
+            if _check_unsafe_delete_path(name):
+                raise Exception('bb.utils.remove: called with dangerous path "%s" and recurse=True, refusing to delete!' % name)
        # shutil.rmtree(name) would be ideal but its too slow
        cmd = []
        if ionice:
@@ -751,7 +755,7 @@ def movefile(src, dest, newmtime = None, sstat = None):
        if not sstat:
            sstat = os.lstat(src)
    except Exception as e:
-        print("movefile: Stating source file failed...", e)
+        logger.warning("movefile: Stating source file failed...", e)
        return None

    destexists = 1
@@ -779,7 +783,7 @@ def movefile(src, dest, newmtime = None, sstat = None):
            os.unlink(src)
            return os.lstat(dest)
        except Exception as e:
-            print("movefile: failed to properly create symlink:", dest, "->", target, e)
+            logger.warning("movefile: failed to properly create symlink:", dest, "->", target, e)
            return None

    renamefailed = 1
@@ -796,7 +800,7 @@ def movefile(src, dest, newmtime = None, sstat = None):
        except Exception as e:
            if e.errno != errno.EXDEV:
                # Some random error.
-                print("movefile: Failed to move", src, "to", dest, e)
+                logger.warning("movefile: Failed to move", src, "to", dest, e)
                return None
            # Invalid cross-device-link 'bind' mounted or actually Cross-Device

@@ -808,13 +812,13 @@ def movefile(src, dest, newmtime = None, sstat = None):
                bb.utils.rename(destpath + "#new", destpath)
                didcopy = 1
            except Exception as e:
-                print('movefile: copy', src, '->', dest, 'failed.', e)
+                logger.warning('movefile: copy', src, '->', dest, 'failed.', e)
                return None
        else:
            #we don't yet handle special, so we need to fall back to /bin/mv
            a = getstatusoutput("/bin/mv -f " + "'" + src + "' '" + dest + "'")
            if a[0] != 0:
-                print("movefile: Failed to move special file:" + src + "' to '" + dest + "'", a)
+                logger.warning("movefile: Failed to move special file:" + src + "' to '" + dest + "'", a)
                return None # failure
        try:
            if didcopy:
@@ -822,7 +826,7 @@ def movefile(src, dest, newmtime = None, sstat = None):
                os.chmod(destpath, stat.S_IMODE(sstat[stat.ST_MODE])) # Sticky is reset on chown
                os.unlink(src)
        except Exception as e:
-            print("movefile: Failed to chown/chmod/unlink", dest, e)
+            logger.warning("movefile: Failed to chown/chmod/unlink", dest, e)
            return None

    if newmtime:
@@ -1754,3 +1758,22 @@ def is_local_uid(uid=''):
            if str(uid) == line_split[2]:
                return True
    return False
+
+def mkstemp(suffix=None, prefix=None, dir=None, text=False):
+    """
+    Generates a unique filename, independent of time.
+
+    mkstemp() in glibc (at least) generates unique file names based on the
+    current system time. When combined with highly parallel builds, and
+    operating over NFS (e.g. shared sstate/downloads) this can result in
+    conflicts and race conditions.
+
+    This function adds additional entropy to the file name so that a collision
+    is independent of time and thus extremely unlikely.
+    """
+    entropy = "".join(random.choices("abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890", k=20))
+    if prefix:
+        prefix = prefix + entropy
+    else:
+        prefix = tempfile.gettempprefix() + entropy
+    return tempfile.mkstemp(suffix=suffix, prefix=prefix, dir=dir, text=text)
--- a/bitbake/lib/bblayers/init.py
+++ b/bitbake/lib/bblayers/init.py
@@ -1,4 +1,6 @@
 #
+# Copyright BitBake Contributors
+#
 # SPDX-License-Identifier: GPL-2.0-only
 #

--- a/bitbake/lib/bblayers/action.py
+++ b/bitbake/lib/bblayers/action.py
@@ -1,4 +1,6 @@
 #
+# Copyright BitBake Contributors
+#
 # SPDX-License-Identifier: GPL-2.0-only
 #

--- a/bitbake/lib/bblayers/common.py
+++ b/bitbake/lib/bblayers/common.py
@@ -1,4 +1,6 @@
 #
+# Copyright BitBake Contributors
+#
 # SPDX-License-Identifier: GPL-2.0-only
 #

--- a/bitbake/lib/bblayers/layerindex.py
+++ b/bitbake/lib/bblayers/layerindex.py
@@ -1,4 +1,6 @@
 #
+# Copyright BitBake Contributors
+#
 # SPDX-License-Identifier: GPL-2.0-only
 #

--- a/bitbake/lib/bblayers/query.py
+++ b/bitbake/lib/bblayers/query.py
@@ -1,4 +1,6 @@
 #
+# Copyright BitBake Contributors
+#
 # SPDX-License-Identifier: GPL-2.0-only
 #

--- a/bitbake/lib/prserv/init.py
+++ b/bitbake/lib/prserv/init.py
@@ -1,4 +1,6 @@
 #
+# Copyright BitBake Contributors
+#
 # SPDX-License-Identifier: GPL-2.0-only
 #

--- a/bitbake/lib/prserv/client.py
+++ b/bitbake/lib/prserv/client.py
@@ -1,4 +1,6 @@
 #
+# Copyright BitBake Contributors
+#
 # SPDX-License-Identifier: GPL-2.0-only
 #

--- a/bitbake/lib/prserv/db.py
+++ b/bitbake/lib/prserv/db.py
@@ -1,4 +1,6 @@
 #
+# Copyright BitBake Contributors
+#
 # SPDX-License-Identifier: GPL-2.0-only
 #

--- a/bitbake/lib/prserv/serv.py
+++ b/bitbake/lib/prserv/serv.py
@@ -1,4 +1,6 @@
 #
+# Copyright BitBake Contributors
+#
 # SPDX-License-Identifier: GPL-2.0-only
 #

--- a/bitbake/lib/toaster/manage.py
+++ b/bitbake/lib/toaster/manage.py
@@ -1,5 +1,7 @@
 #!/usr/bin/env python3
 #
+# Copyright BitBake Contributors
+#
 # SPDX-License-Identifier: GPL-2.0-only
 #

--- a/bitbake/lib/toaster/orm/fixtures/poky.xml
+++ b/bitbake/lib/toaster/orm/fixtures/poky.xml
@@ -42,7 +42,7 @@
  <!-- Releases available -->
  <object model="orm.release" pk="1">
    <field type="CharField" name="name">kirkstone</field>
-    <field type="CharField" name="description">Yocto Project 3.5 "Kirkstone"</field>
+    <field type="CharField" name="description">Yocto Project 4.0 "Kirkstone"</field>
    <field rel="ManyToOneRel" to="orm.bitbakeversion" name="bitbake_version">1</field>
    <field type="CharField" name="branch_name">kirkstone</field>
    <field type="TextField" name="helptext">Toaster will run your builds using the tip of the &lt;a href="https://git.yoctoproject.org/cgit/cgit.cgi/poky/log/?h=kirkstone"&gt;Yocto Project Kirkstone branch&lt;/a&gt;.</field>
--- a/documentation/brief-yoctoprojectqs/index.rst
+++ b/documentation/brief-yoctoprojectqs/index.rst
@@ -64,6 +64,7 @@ following requirements:
   -  tar &MIN_TAR_VERSION; or greater
   -  Python &MIN_PYTHON_VERSION; or greater.
   -  gcc &MIN_GCC_VERSION; or greater.
+   -  GNU make &MIN_MAKE_VERSION; or greater

 If your build host does not meet any of these three listed version
 requirements, you can take steps to prepare the system so that you
--- a/documentation/dev-manual/common-tasks.rst
+++ b/documentation/dev-manual/common-tasks.rst
@@ -2562,7 +2562,7 @@ Recipe Syntax
 Understanding recipe file syntax is important for writing recipes. The
 following list overviews the basic items that make up a BitBake recipe
 file. For more complete BitBake syntax descriptions, see the
-":doc:`bitbake-user-manual/bitbake-user-manual-metadata`"
+":doc:`bitbake:bitbake-user-manual/bitbake-user-manual-metadata`"
 chapter of the BitBake User Manual.

 -  *Variable Assignments and Manipulations:* Variable assignments allow
--- a/documentation/migration-guides/release-3.4.rst
+++ b/documentation/migration-guides/release-3.4.rst
@@ -7,4 +7,6 @@ Release 3.4 (honister)
   release-notes-3.4
   release-notes-3.4.1
   release-notes-3.4.2
+   release-notes-3.4.3
+   release-notes-3.4.4

--- a/documentation/migration-guides/release-4.0.rst
+++ b/documentation/migration-guides/release-4.0.rst
@@ -5,3 +5,7 @@ Release 4.0 (kirkstone)

   migration-4.0
   release-notes-4.0
+   release-notes-4.0.1
+   release-notes-4.0.2
+   release-notes-4.0.3
+   release-notes-4.0.4
--- a/documentation/migration-guides/release-notes-3.4.3.rst
+++ b/documentation/migration-guides/release-notes-3.4.3.rst
@@ -0,0 +1,197 @@
+Release notes for 3.4.3 (honister)
+----------------------------------
+
+Security Fixes in 3.4.3
+~~~~~~~~~~~~~~~~~~~~~~~
+
+-  ghostscript: fix :cve:`2021-3781`
+-  ghostscript: fix :cve:`2021-45949`
+-  tiff: Add backports for two CVEs from upstream (:cve:`2022-0561` & :cve:`2022-0562`)
+-  gcc : Fix :cve:`2021-46195`
+-  virglrenderer: fix `CVE-2022-0135 <https://security-tracker.debian.org/tracker/CVE-2022-0135>`__ and `CVE-2022-0175 <https://security-tracker.debian.org/tracker/CVE-2022-0175>`__
+-  binutils: Add fix for :cve:`2021-45078`
+
+
+Fixes in 3.4.3
+~~~~~~~~~~~~~~
+
+-  Revert "cve-check: add lockfile to task"
+-  asciidoc: update git repository
+-  bitbake: build: Tweak exception handling for setscene tasks
+-  bitbake: contrib: Fix hash server Dockerfile dependencies
+-  bitbake: cooker: Improve parsing failure from handled exception usability
+-  bitbake: data_smart: Fix overrides file/line message additions
+-  bitbake: fetch2: ssh: username and password are optional
+-  bitbake: tests/fetch: Handle upstream master -> main branch change
+-  bitbake: utils: Ensure shell function failure in python logging is correct
+-  build-appliance-image: Update to honister head revision
+-  build-appliance-image: Update to honister head revision
+-  coreutils: remove obsolete ignored CVE list
+-  crate-fetch: fix setscene failures
+-  cups: Add --with-dbusdir to EXTRA_OECONF for deterministic build
+-  cve-check: create directory of CVE_CHECK_MANIFEST before copy
+-  cve-check: get_cve_info should open the database read-only
+-  default-distrovars.inc: Switch connectivity check to a yoctoproject.org page
+-  depmodwrapper-cross: add config directory option
+-  devtool: deploy-target: Remove stripped binaries in pseudo context
+-  devtool: explicitly set main or master branches in upgrades when available
+-  docs: fix hardcoded link warning messages
+-  documentation: conf.py: update for 3.4.2
+-  documentation: prepare for 3.4.3 release
+-  expat: Upgrade to 2.4.7
+-  gcc-target: fix glob to remove gcc-<version> binary
+-  gcsections: add nativesdk-cairo to exclude list
+-  go: update to 1.16.15
+-  gst-devtools: 1.18.5 -> 1.18.6
+-  gst-examples: 1.18.5 -> 1.18.6
+-  gstreamer1.0-libav: 1.18.5 -> 1.18.6
+-  gstreamer1.0-omx: 1.18.5 -> 1.18.6
+-  gstreamer1.0-plugins-bad: 1.18.5 -> 1.18.6
+-  gstreamer1.0-plugins-base: 1.18.5 -> 1.18.6
+-  gstreamer1.0-plugins-good: 1.18.5 -> 1.18.6
+-  gstreamer1.0-plugins-ugly: 1.18.5 -> 1.18.6
+-  gstreamer1.0-python: 1.18.5 -> 1.18.6
+-  gstreamer1.0-rtsp-server: 1.18.5 -> 1.18.6
+-  gstreamer1.0-vaapi: 1.18.5 -> 1.18.6
+-  gstreamer1.0: 1.18.5 -> 1.18.6
+-  harfbuzz: upgrade 2.9.0 -> 2.9.1
+-  initramfs-framework: unmount automounts before switch_root
+-  kernel-devsrc: do not copy Module.symvers file during install
+-  libarchive : update to 3.5.3
+-  libpcap: Disable DPDK explicitly
+-  libxml-parser-perl: Add missing RDEPENDS
+-  linux-firmware: upgrade 20211216 -> 20220209
+-  linux-yocto/5.10: Fix ramoops/ftrace
+-  linux-yocto/5.10: features/zram: remove CONFIG_ZRAM_DEF_COMP
+-  linux-yocto/5.10: fix dssall build error with binutils 2.3.8
+-  linux-yocto/5.10: ppc/riscv: fix build with binutils 2.3.8
+-  linux-yocto/5.10: update genericx86* machines to v5.10.99
+-  linux-yocto/5.10: update to v5.10.103
+-  mc: fix build if ncurses have been configured without wide characters
+-  oeqa/buildtools: Switch to our webserver instead of example.com
+-  patch.py: Prevent git repo reinitialization
+-  perl: Improve and update module RPDEPENDS
+-  poky.conf: bump version for 3.4.3 honister release
+-  qemuboot: Fix build error if UNINATIVE_LOADER is unset
+-  quilt: Disable external sendmail for deterministic build
+-  recipetool: Fix circular reference in SRC_URI
+-  releases: update to include 3.3.5
+-  releases: update to include 3.4.2
+-  rootfs-postcommands: amend systemd_create_users add user to group check
+-  ruby: update 3.0.2 -> 3.0.3
+-  scripts/runqemu-ifdown: Don't treat the last iptables command as special
+-  sdk: fix search for dynamic loader
+-  selftest: recipetool: Correct the URI for socat
+-  sstate: inside the threadedpool don't write to the shared localdata
+-  uninative: Upgrade to 3.5
+-  util-linux: upgrade to 2.37.4
+-  vim: Update to 8.2.4524 for further CVE fixes
+-  wic: Use custom kernel path if provided
+-  wireless-regdb: upgrade 2021.08.28 -> 2022.02.18
+-  zip: modify when match.S is built
+
+Contributors to 3.4.3
+~~~~~~~~~~~~~~~~~~~~~
+
+-  Alexander Kanavin
+-  Anuj Mittal
+-  Bill Pittman
+-  Bruce Ashfield
+-  Chee Yang Lee
+-  Christian Eggers
+-  Daniel Gomez
+-  Daniel Müller
+-  Daniel Wagenknecht
+-  Florian Amstutz
+-  Joe Slater
+-  Jose Quaresma
+-  Justin Bronder
+-  Lee Chee Yang
+-  Michael Halstead
+-  Michael Opdenacker
+-  Oleksandr Ocheretnyi
+-  Oleksandr Suvorov
+-  Pavel Zhukov
+-  Peter Kjellerstedt
+-  Richard Purdie
+-  Robert Yang
+-  Ross Burton
+-  Sakib Sajal
+-  Saul Wold
+-  Sean Anderson
+-  Stefan Herbrechtsmeier
+-  Tamizharasan Kumar
+-  Tean Cunningham
+-  Zoltán Böszörményi
+-  pgowda
+-  wangmy
+
+Repositories / Downloads for 3.4.3
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+poky
+
+-  Repository Location: https://git.yoctoproject.org/poky/
+-  Branch: :yocto_git:`honister </poky/log/?h=honister>`
+-  Tag: `yocto-3.4.3 <https://git.yoctoproject.org/poky/tag/?h=yocto-3.4.3>`__
+-  Git Revision: :yocto_git:`ee68ae307fd951b9de6b31dc6713ea29186b7749 </poky/commit/?id=ee68ae307fd951b9de6b31dc6713ea29186b7749>`
+-  Release Artefact: poky-ee68ae307fd951b9de6b31dc6713ea29186b7749
+-  sha: 92c3d73c3e74f0e1d5c2ab2836ce3a3accbe47772cea70df3755845e0db1379b
+-  Download Locations:
+   http://downloads.yoctoproject.org/releases/yocto/yocto-3.4.3/poky-ee68ae307fd951b9de6b31dc6713ea29186b7749.tar.bz2,
+   http://mirrors.kernel.org/yocto/yocto/yocto-3.4.3/poky-ee68ae307fd951b9de6b31dc6713ea29186b7749.tar.bz2
+
+openembedded-core
+
+-  Repository Location: :oe_git:`/openembedded-core`
+-  Branch: :oe_git:`honister </openembedded-core/log/?h=honister>`
+-  Tag: :oe_git:`yocto-3.4.3 </openembedded-core/tag/?h=yocto-3.4.3>`
+-  Git Revision: :oe_git:`ebca8f3ac9372b7ebb3d39e8f7f930b63b481448 </openembedded-core/commit/?id=ebca8f3ac9372b7ebb3d39e8f7f930b63b481448>`
+-  Release Artefact: oecore-ebca8f3ac9372b7ebb3d39e8f7f930b63b481448
+-  sha: f28e503f6f6c0bcd9192dbd528f8e3c7bcea504c089117e0094d9a4f315f4b9f
+-  Download Locations:
+   http://downloads.yoctoproject.org/releases/yocto/yocto-3.4.3/oecore-ebca8f3ac9372b7ebb3d39e8f7f930b63b481448.tar.bz2,
+   http://mirrors.kernel.org/yocto/yocto/yocto-3.4.3/oecore-ebca8f3ac9372b7ebb3d39e8f7f930b63b481448.tar.bz2
+
+meta-mingw
+
+-  Repository Location: https://git.yoctoproject.org/meta-mingw
+-  Branch: :yocto_git:`honister </meta-mingw/log/?h=honister>`
+-  Tag: :yocto_git:`yocto-3.4.3 </meta-mingw/tag/?h=yocto-3.4.3>`
+-  Git Revision: :yocto_git:`f5d761cbd5c957e4405c5d40b0c236d263c916a8 </meta-mingw/commit/?id=f5d761cbd5c957e4405c5d40b0c236d263c916a8>`
+-  Release Artefact: meta-mingw-f5d761cbd5c957e4405c5d40b0c236d263c916a8
+-  sha: d4305d638ef80948584526c8ca386a8cf77933dffb8a3b8da98d26a5c40fcc11
+-  Download Locations:
+   http://downloads.yoctoproject.org/releases/yocto/yocto-3.4.3/meta-mingw-f5d761cbd5c957e4405c5d40b0c236d263c916a8.tar.bz2,
+   http://mirrors.kernel.org/yocto/yocto/yocto-3.4.3/meta-mingw-f5d761cbd5c957e4405c5d40b0c236d263c916a8.tar.bz2
+
+meta-gplv2
+
+-  Repository Location: https://git.yoctoproject.org/meta-gplv2
+-  Branch: :yocto_git:`honister </meta-gplv2/log/?h=honister>`
+-  Tag: :yocto_git:`yocto-3.4.3 </meta-gplv2/tag/?h=yocto-3.4.3>`
+-  Git Revision: :yocto_git:`f04e4369bf9dd3385165281b9fa2ed1043b0e400 </meta-gplv2/commit/?id=f04e4369bf9dd3385165281b9fa2ed1043b0e400>`
+-  Release Artefact: meta-gplv2-f04e4369bf9dd3385165281b9fa2ed1043b0e400
+-  sha: ef8e2b1ec1fb43dbee4ff6990ac736315c7bc2d8c8e79249e1d337558657d3fe
+-  Download Locations:
+   http://downloads.yoctoproject.org/releases/yocto/yocto-3.4.3/meta-gplv2-f04e4369bf9dd3385165281b9fa2ed1043b0e400.tar.bz2,
+   http://mirrors.kernel.org/yocto/yocto/yocto-3.4.3/meta-gplv2-f04e4369bf9dd3385165281b9fa2ed1043b0e400.tar.bz2
+
+bitbake
+
+-  Repository Location: :oe_git:`/bitbake`
+-  Branch: :oe_git:`1.52 </bitbake/log/?h=1.52>`
+-  Tag: :oe_git:`yocto-3.4.3 </bitbake/tag/?h=yocto-3.4.3>`
+-  Git Revision: :oe_git:`43dcb2b2a2b95a5c959be57bca94fb7190ea6257 </bitbake/commit/?id=43dcb2b2a2b95a5c959be57bca94fb7190ea6257>`
+-  Release Artefact: bitbake-43dcb2b2a2b95a5c959be57bca94fb7190ea6257
+-  sha: 92497ff97fed81dcc6d3e202969fb63ca983a8f5d9d91cafc6aee88312f79cf9
+-  Download Locations:
+   http://downloads.yoctoproject.org/releases/yocto/yocto-3.4.3/bitbake-43dcb2b2a2b95a5c959be57bca94fb7190ea6257.tar.bz2,
+   http://mirrors.kernel.org/yocto/yocto/yocto-3.4.3/bitbake-43dcb2b2a2b95a5c959be57bca94fb7190ea6257.tar.bz2
+
+yocto-docs
+
+-  Repository Location: https://git.yoctoproject.org/yocto-docs
+-  Branch: :yocto_git:`honister </yocto-docs/log/?h=honister>`
+-  Tag: :yocto_git:`yocto-3.4.3 </yocto-docs/tag/?h=yocto-3.4.3>`
+-  Git Revision: :yocto_git:`15f46f97d9cad558c19fc1dc19cfbe3720271d04 </yocto-docs/commit/?15f46f97d9cad558c19fc1dc19cfbe3720271d04>`
--- a/documentation/migration-guides/release-notes-3.4.4.rst
+++ b/documentation/migration-guides/release-notes-3.4.4.rst
@@ -0,0 +1,155 @@
+Release notes for 3.4.4 (honister)
+----------------------------------
+
+Security Fixes in 3.4.4
+~~~~~~~~~~~~~~~~~~~~~~~
+
+-  tiff: fix :cve:`2022-0865`, :cve:`2022-0891`, :cve:`2022-0907`, :cve:`2022-0908`, :cve:`2022-0909` and :cve:`2022-0924`
+-  xz: fix `CVE-2022-1271 <https://security-tracker.debian.org/tracker/CVE-2022-1271>`__
+-  unzip: fix `CVE-2021-4217 <https://security-tracker.debian.org/tracker/CVE-2021-4217>`__
+-  zlib: fix :cve:`2018-25032`
+-  grub: ignore :cve:`2021-46705`
+
+Fixes in 3.4.4
+~~~~~~~~~~~~~~
+
+-  alsa-tools: Ensure we install correctly
+-  bitbake.conf: mark all directories as safe for git to read
+-  bitbake: knotty: display active tasks when printing keepAlive() message
+-  bitbake: knotty: reduce keep-alive timeout from 5000s (83 minutes) to 10 minutes
+-  bitbake: server/process: Disable gc around critical section
+-  bitbake: server/xmlrpcserver: Add missing xmlrpcclient import
+-  bitbake: toaster: Fix IMAGE_INSTALL issues with _append vs :append
+-  bitbake: toaster: fixtures replace gatesgarth
+-  build-appliance-image: Update to honister head revision
+-  conf.py/poky.yaml: Move version information to poky.yaml and read in conf.py
+-  conf/machine: fix QEMU x86 sound options
+-  devupstream: fix handling of SRC_URI
+-  documentation: update for 3.4.4 release
+-  externalsrc/devtool: Fix to work with fixed export funcition flags handling
+-  gmp: add missing COPYINGv3
+-  gnu-config: update SRC_URI
+-  libxml2: fix CVE-2022-23308 regression
+-  libxml2: move to gitlab.gnome.org
+-  libxml2: update to 2.9.13
+-  libxshmfence: Correct LICENSE to HPND
+-  license_image.bbclass: close package.manifest file
+-  linux-firmware: correct license for ar3k firmware
+-  linux-firmware: upgrade 20220310 -> 20220411
+-  linux-yocto-rt/5.10: update to -rt61
+-  linux-yocto/5.10: cfg/debug: add configs for kcsan
+-  linux-yocto/5.10: split vtpm for more granular inclusion
+-  linux-yocto/5.10: update to v5.10.109
+-  linux-yocto: nohz_full boot arg fix
+-  oe-pkgdata-util: Adapt to the new variable override syntax
+-  oeqa/selftest/devtool: ensure Git username is set before upgrade tests
+-  poky.conf: bump version for 3.4.4 release
+-  pseudo: Add patch to workaround paths with crazy lengths
+-  pseudo: Fix handling of absolute links
+-  sanity: Add warning for local hasheqiv server with remote sstate mirrors
+-  scripts/runqemu: Fix memory limits for qemux86-64
+-  shadow-native: Simplify and fix syslog disable patch
+-  tiff: Add marker for CVE-2022-1056 being fixed
+-  toaster: Fix broken overrides usage
+-  u-boot: Inherit pkgconfig
+-  uninative: Upgrade to 3.6 with gcc 12 support
+-  vim: Upgrade 8.2.4524 -> 8.2.4681
+-  virglrenderer: update SRC_URI
+-  webkitgtk: update to 2.32.4
+-  wireless-regdb: upgrade 2022.02.18 -> 2022.04.08
+
+Known Issues
+~~~~~~~~~~~~
+
+There were a couple of known autobuilder intermittent bugs that occurred during release testing but these are not regressions in the release.
+
+Contributors to 3.4.4
+~~~~~~~~~~~~~~~~~~~~~
+
+-  Alexandre Belloni
+-  Anuj Mittal
+-  Bruce Ashfield
+-  Chee Yang Lee
+-  Dmitry Baryshkov
+-  Joe Slater
+-  Konrad Weihmann
+-  Martin Jansa
+-  Michael Opdenacker
+-  Minjae Kim
+-  Peter Kjellerstedt
+-  Ralph Siemsen
+-  Richard Purdie
+-  Ross Burton
+-  Tim Orling
+-  wangmy
+-  zhengruoqin
+
+Repositories / Downloads for 3.4.4
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+poky
+
+-  Repository Location: https://git.yoctoproject.org/poky/
+-  Branch: :yocto_git:`honister </poky/log/?h=honister>`
+-  Tag: `yocto-3.4.4 <https://git.yoctoproject.org/poky/tag/?h=yocto-3.4.4>`__
+-  Git Revision: :yocto_git:`780eeec8851950ee6ac07a2a398ba937206bd2e4 </poky/commit/?id=780eeec8851950ee6ac07a2a398ba937206bd2e4>`
+-  Release Artefact: poky-780eeec8851950ee6ac07a2a398ba937206bd2e4
+-  sha: 09558927064454ec2492da376156b716d9fd14aae57196435d742db7bfdb4b95
+-  Download Locations:
+   http://downloads.yoctoproject.org/releases/yocto/yocto-3.4.4/poky-780eeec8851950ee6ac07a2a398ba937206bd2e4.tar.bz2,
+   http://mirrors.kernel.org/yocto/yocto/yocto-3.4.4/poky-780eeec8851950ee6ac07a2a398ba937206bd2e4.tar.bz2
+
+openembedded-core
+
+-  Repository Location: :oe_git:`/openembedded-core`
+-  Branch: :oe_git:`honister </openembedded-core/log/?h=honister>`
+-  Tag: :oe_git:`yocto-3.4.4 </openembedded-core/tag/?h=yocto-3.4.4>`
+-  Git Revision: :oe_git:`1a6f5e27249afb6fb4d47c523b62b5dd2482a69d </openembedded-core/commit/?id=1a6f5e27249afb6fb4d47c523b62b5dd2482a69d>`
+-  Release Artefact: oecore-1a6f5e27249afb6fb4d47c523b62b5dd2482a69d
+-  sha: b8354ca457756384139a579b9e51f1ba854013c99add90c0c4c6ef68421fede5
+-  Download Locations:
+   http://downloads.yoctoproject.org/releases/yocto/yocto-3.4.4/oecore-1a6f5e27249afb6fb4d47c523b62b5dd2482a69d.tar.bz2,
+   http://mirrors.kernel.org/yocto/yocto/yocto-3.4.4/oecore-1a6f5e27249afb6fb4d47c523b62b5dd2482a69d.tar.bz2
+
+meta-mingw
+
+-  Repository Location: https://git.yoctoproject.org/meta-mingw
+-  Branch: :yocto_git:`honister </meta-mingw/log/?h=honister>`
+-  Tag: :yocto_git:`yocto-3.4.4 </meta-mingw/tag/?h=yocto-3.4.4>`
+-  Git Revision: :yocto_git:`f5d761cbd5c957e4405c5d40b0c236d263c916a8 </meta-mingw/commit/?id=f5d761cbd5c957e4405c5d40b0c236d263c916a8>`
+-  Release Artefact: meta-mingw-f5d761cbd5c957e4405c5d40b0c236d263c916a8
+-  sha: d4305d638ef80948584526c8ca386a8cf77933dffb8a3b8da98d26a5c40fcc11
+-  Download Locations:
+   http://downloads.yoctoproject.org/releases/yocto/yocto-3.4.4/meta-mingw-f5d761cbd5c957e4405c5d40b0c236d263c916a8.tar.bz2
+   http://mirrors.kernel.org/yocto/yocto/yocto-3.4.4/meta-mingw-f5d761cbd5c957e4405c5d40b0c236d263c916a8.tar.bz2
+
+meta-gplv2
+
+-  Repository Location: https://git.yoctoproject.org/meta-gplv2
+-  Branch: :yocto_git:`honister </meta-gplv2/log/?h=honister>`
+-  Tag: :yocto_git:`yocto-3.4.4 </meta-gplv2/tag/?h=yocto-3.4.4>`
+-  Git Revision: :yocto_git:`f04e4369bf9dd3385165281b9fa2ed1043b0e400 </meta-gplv2/commit/?id=f04e4369bf9dd3385165281b9fa2ed1043b0e400>`
+-  Release Artefact: meta-gplv2-f04e4369bf9dd3385165281b9fa2ed1043b0e400
+-  sha: ef8e2b1ec1fb43dbee4ff6990ac736315c7bc2d8c8e79249e1d337558657d3fe
+-  Download Locations:
+   http://downloads.yoctoproject.org/releases/yocto/yocto-3.4.4/meta-gplv2-f04e4369bf9dd3385165281b9fa2ed1043b0e400.tar.bz2,
+   http://mirrors.kernel.org/yocto/yocto/yocto-3.4.4/meta-gplv2-f04e4369bf9dd3385165281b9fa2ed1043b0e400.tar.bz2
+
+bitbake
+
+-  Repository Location: :oe_git:`/bitbake`
+-  Branch: :oe_git:`1.52 </bitbake/log/?h=1.52>`
+-  Tag: :oe_git:`yocto-3.4.4 </bitbake/tag/?h=yocto-3.4.3>`
+-  Git Revision: :oe_git:`c2d8f9b2137bd4a98eb0f51519493131773e7517 </bitbake/commit/?id=c2d8f9b2137bd4a98eb0f51519493131773e7517>`
+-  Release Artefact: bitbake-c2d8f9b2137bd4a98eb0f51519493131773e7517
+-  sha: a8b6217f2d63975bbf49f430e11046608023ee2827faa893b15d9a0d702cf833
+-  Download Locations:
+   http://downloads.yoctoproject.org/releases/yocto/yocto-3.4.4/bitbake-c2d8f9b2137bd4a98eb0f51519493131773e7517.tar.bz2,
+   http://mirrors.kernel.org/yocto/yocto/yocto-3.4.4/bitbake-c2d8f9b2137bd4a98eb0f51519493131773e7517.tar.bz2
+
+yocto-docs
+
+-  Repository Location: https://git.yoctoproject.org/yocto-docs
+-  Branch: :yocto_git:`honister </yocto-docs/log/?h=honister>`
+-  Tag: :yocto_git:`yocto-3.4.4 </yocto-docs/tag/?h=yocto-3.4.4>`
+-  Git Revision: :yocto_git:`5ead7d39aaf9044078dff27f462e29a8e31d89e4 </yocto-docs/commit/?5ead7d39aaf9044078dff27f462e29a8e31d89e4>`
--- a/documentation/migration-guides/release-notes-4.0.1.rst
+++ b/documentation/migration-guides/release-notes-4.0.1.rst
@@ -0,0 +1,248 @@
+Release notes for 4.0.1 (kirkstone)
+-----------------------------------
+
+Security Fixes in 4.0.1
+~~~~~~~~~~~~~~~~~~~~~~~
+
+-  linux-yocto/5.15: fix :cve:`2022-28796`
+-  python3: ignore :cve:`2015-20107`
+-  e2fsprogs: fix :cve:`2022-1304`
+-  lua: fix :cve:`2022-28805`
+-  busybox: fix :cve:`2022-28391`
+
+Fixes in 4.0.1
+~~~~~~~~~~~~~~
+
+-  abi_version/sstate: Bump hashequiv and sstate versions due to git changes
+-  apt: add apt selftest to test signed package feeds
+-  apt: upgrade 2.4.4 -> 2.4.5
+-  arch-armv8-2a.inc: fix a typo in TUNEVALID variable
+-  babeltrace: Disable warnings as errors
+-  base: Avoid circular references to our own scripts
+-  base: Drop git intercept
+-  build-appliance-image: Update to kirkstone head revision
+-  build-appliance: Switch to kirkstone branch
+-  buildtools-tarball: Only add cert envvars if certs are included
+-  busybox: Use base_bindir instead of hardcoding /bin path
+-  cases/buildepoxy.py: fix typo
+-  create-spdx: delete virtual/kernel dependency to fix FreeRTOS build
+-  create-spdx: fix error when symlink cannot be created
+-  cve-check: add JSON format to summary output
+-  cve-check: fix symlinks where link and output path are equal
+-  cve-check: no need to depend on the fetch task
+-  cve-update-db-native: let the user to drive the update interval
+-  cve-update-db-native: update the CVE database once a day only
+-  cve_check: skip remote patches that haven't been fetched when searching for CVE tags
+-  dev-manual: add command used to add the signed-off-by line.
+-  devshell.bbclass: Allow devshell & pydevshell to use the network
+-  docs: conf.py: fix cve extlinks caption for sphinx <4.0
+-  docs: migration-guides: migration-3.4: mention that hardcoded password are supported if hashed
+-  docs: migration-guides: release-notes-4.0: fix risc-v typo
+-  docs: migration-guides: release-notes-4.0: replace kernel placeholder with correct recipe name
+-  docs: ref-manual: variables: add hashed password example in EXTRA_USERS_PARAMS
+-  docs: set_versions.py: add information about obsolescence of a release
+-  docs: set_versions.py: fix latest release of a branch being shown twice in switchers.js
+-  docs: set_versions.py: fix latest version of an active release shown as obsolete
+-  docs: set_versions.py: mark as obsolete only branches and old tags from obsolete releases
+-  docs: sphinx-static: switchers.js.in: do not mark branches as outdated
+-  docs: sphinx-static: switchers.js.in: fix broken switcher for branches
+-  docs: sphinx-static: switchers.js.in: improve obsolete version detection
+-  docs: sphinx-static: switchers.js.in: remove duplicate for outdated versions
+-  docs: sphinx-static: switchers.js.in: rename all_versions to switcher_versions
+-  docs: update Bitbake objects.inv location for master branch
+-  documentation/brief-yoctoprojectqs: add directory for local.conf
+-  gcompat: Fix build when usrmerge distro feature is enabled
+-  git: correct license
+-  git: upgrade 2.35.2 -> 2.35.3
+-  glib: upgrade 2.72.0 -> 2.72.1
+-  glibc: ptest: Fix glibc-tests package issue
+-  gnupg: Disable FORTIFY_SOURCES on mips
+-  go.bbclass: disable the use of the default configuration file
+-  gstreamer1.0-plugins-bad: drop patch
+-  gstreamer1.0-plugins-good: Fix libsoup dependency
+-  gstreamer1.0: Minor documentation addition
+-  install/devshell: Introduce git intercept script due to fakeroot issues
+-  kernel-yocto.bbclass: Fixup do_kernel_configcheck usage of KMETA
+-  libc-glibc: Use libxcrypt to provide virtual/crypt
+-  libgit2: upgrade 1.4.2 -> 1.4.3
+-  libsoup: upgrade 3.0.5 -> 3.0.6
+-  libusb1: upgrade 1.0.25 -> 1.0.26
+-  linux-firmware: correct license for ar3k firmware
+-  linux-firmware: upgrade 20220310 -> 20220411
+-  linux-yocto/5.10: base: enable kernel crypto userspace API
+-  linux-yocto/5.10: update to v5.10.112
+-  linux-yocto/5.15: arm: poky-tiny cleanup and fixes
+-  linux-yocto/5.15: base: enable kernel crypto userspace API
+-  linux-yocto/5.15: fix -standard kernel build issue
+-  linux-yocto/5.15: fix ppc boot
+-  linux-yocto/5.15: fix qemuarm graphical boot
+-  linux-yocto/5.15: kasan: fix BUG: sleeping function called from invalid context
+-  linux-yocto/5.15: netfilter: conntrack: avoid useless indirection during conntrack destruction
+-  linux-yocto/5.15: update to v5.15.36
+-  linux-yocto: enable powerpc-debug fragment
+-  mdadm: Drop clang specific cflags
+-  migration-3.4: add missing entry on EXTRA_USERS_PARAMS
+-  migration-guides: add release notes for 4.0
+-  migration-guides: complete migration guide for 4.0
+-  migration-guides: release-notes-4.0: mention LTS release
+-  migration-guides: release-notes-4.0: update 'Repositories / Downloads' section
+-  migration-guides: stop including documents with ".. include"
+-  musl: Fix build when usrmerge distro feature is enabled
+-  ncurses: use COPYING file
+-  neard: Switch SRC_URI to git repo
+-  oeqa/selftest: add test for git working correctly inside pseudo
+-  openssl: minor security upgrade 3.0.2 -> 3.0.3
+-  package.bbclass: Prevent perform_packagecopy from removing /sysroot-only
+-  package: Ensure we track whether PRSERV was active or not
+-  package_manager: fix missing dependency on gnupg when signing deb package feeds
+-  poky-tiny: enable qemuarmv5/qemuarm64 and cleanups
+-  poky.conf: bump version for 4.0.1 release
+-  qemu.bbclass: Extend ppc/ppc64 extra options
+-  qemuarm64: use virtio pci interfaces
+-  qemuarmv5: use arm-versatile-926ejs KMACHINE
+-  ref-manual: Add XZ_THREADS and XZ_MEMLIMIT
+-  ref-manual: add KERNEL_DEBUG_TIMESTAMPS
+-  ref-manual: add ZSTD_THREADS
+-  ref-manual: add a note about hard-coded passwords
+-  ref-manual: add empty-dirs QA check and QA_EMPTY_DIRS*
+-  ref-manual: add mention of vendor filtering to CVE_PRODUCT
+-  ref-manual: mention wildcarding support in INCOMPATIBLE_LICENSE
+-  releases: update for yocto 4.0
+-  rootfs-postcommands: fix symlinks where link and output path are equal
+-  ruby: upgrade 3.1.1 -> 3.1.2
+-  sanity: skip make 4.2.1 warning for debian
+-  scripts/git: Ensure we don't have circular references
+-  scripts: Make git intercept global
+-  seatd: Disable overflow warning as error on ppc64/musl
+-  selftest/lic_checksum: Add test for filename containing space
+-  set_versions: update for 4.0 release
+-  staging: Ensure we filter out ourselves
+-  strace: fix ptest failure in landlock
+-  subversion: upgrade to 1.14.2
+-  systemd-boot: remove outdated EFI_LD comment
+-  systemtap: Fix build with gcc-12
+-  terminal.py: Restore error output from Terminal
+-  u-boot: Correct the SRC_URI
+-  u-boot: Inherit pkgconfig
+-  update_udev_hwdb: fix multilib issue with systemd
+-  util-linux: Create u-a symlink for findfs utility
+-  virgl: skip headless test on alma 8.6
+-  webkitgtk: adjust patch status
+-  wic: do not use PARTLABEL for msdos partition tables
+-  wireless-regdb: upgrade 2022.02.18 -> 2022.04.08
+-  xserver-xorg: Fix build with gcc12
+-  yocto-bsps: update to v5.15.36
+
+Contributors to 4.0.1
+~~~~~~~~~~~~~~~~~~~~~
+
+-  Abongwa Amahnui Bonalais
+-  Alexander Kanavin
+-  Bruce Ashfield
+-  Carlos Rafael Giani
+-  Chen Qi
+-  Davide Gardenal
+-  Dmitry Baryshkov
+-  Ferry Toth
+-  Henning Schild
+-  Jon Mason
+-  Justin Bronder
+-  Kai Kang
+-  Khem Raj
+-  Konrad Weihmann
+-  Lee Chee Yang
+-  Marta Rybczynska
+-  Martin Jansa
+-  Matt Madison
+-  Michael Halstead
+-  Michael Opdenacker
+-  Naveen Saini
+-  Nicolas Dechesne
+-  Paul Eggleton
+-  Paul Gortmaker
+-  Paulo Neves
+-  Peter Kjellerstedt
+-  Peter Marko
+-  Pgowda
+-  Portia
+-  Quentin Schulz
+-  Rahul Kumar
+-  Richard Purdie
+-  Robert Joslyn
+-  Robert Yang
+-  Roland Hieber
+-  Ross Burton
+-  Russ Dill
+-  Steve Sakoman
+-  wangmy
+-  zhengruoqin
+
+Repositories / Downloads for 4.0.1
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+poky
+
+-  Repository Location: https://git.yoctoproject.org/git/poky
+-  Branch: :yocto_git:`kirkstone </poky/log/?h=kirkstone>`
+-  Tag: :yocto_git:`yocto-4.0.1 </poky/tag/?h=yocto-4.0.1>`
+-  Git Revision: :yocto_git:`8c489602f218bcf21de0d3c9f8cf620ea5f06430 </poky/commit/?id=8c489602f218bcf21de0d3c9f8cf620ea5f06430>`
+-  Release Artefact: poky-8c489602f218bcf21de0d3c9f8cf620ea5f06430
+-  sha: 65c545a316bd8efb13ae1358eeccc8953543be908008103b51f7f90aed960d00
+-  Download Locations:
+   http://downloads.yoctoproject.org/releases/yocto/yocto-4.0.1/poky-8c489602f218bcf21de0d3c9f8cf620ea5f06430.tar.bz2,
+   http://mirrors.kernel.org/yocto/yocto/yocto-4.0.1/poky-8c489602f218bcf21de0d3c9f8cf620ea5f06430.tar.bz2
+
+openembedded-core
+
+-  Repository Location: :oe_git:`/openembedded-core`
+-  Branch: :oe_git:`kirkstone </openembedded-core/log/?h=kirkstone>`
+-  Tag: :oe_git:`yocto-4.0.1 </openembedded-core/tag/?h=yocto-4.0>`
+-  Git Revision: :oe_git:`cb8647c08959abb1d6b7c2b3a34b4b415f66d7ee </openembedded-core/commit/?id=cb8647c08959abb1d6b7c2b3a34b4b415f66d7ee>`
+-  Release Artefact: oecore-cb8647c08959abb1d6b7c2b3a34b4b415f66d7ee
+-  sha: 43981b8fad82f601618a133dffbec839524f0d0a055efc3d8f808cbfd811ab17
+-  Download Locations:
+   http://downloads.yoctoproject.org/releases/yocto/yocto-4.0.1/oecore-cb8647c08959abb1d6b7c2b3a34b4b415f66d7ee.tar.bz2,
+   http://mirrors.kernel.org/yocto/yocto/yocto-4.0.1/oecore-cb8647c08959abb1d6b7c2b3a34b4b415f66d7ee.tar.bz2
+
+meta-mingw
+
+-  Repository Location: https://git.yoctoproject.org/git/meta-mingw
+-  Branch: :yocto_git:`kirkstone </meta-mingw/log/?h=kirkstone>`
+-  Tag: :yocto_git:`yocto-4.0.1 </meta-mingw/tag/?h=yocto-4.0.1>`
+-  Git Revision: :yocto_git:`a90614a6498c3345704e9611f2842eb933dc51c1 </meta-mingw/commit/?id=a90614a6498c3345704e9611f2842eb933dc51c1>`
+-  Release Artefact: meta-mingw-a90614a6498c3345704e9611f2842eb933dc51c1
+-  sha: 49f9900bfbbc1c68136f8115b314e95d0b7f6be75edf36a75d9bcd1cca7c6302
+-  Download Locations:
+   http://downloads.yoctoproject.org/releases/yocto/yocto-4.0.1/meta-mingw-a90614a6498c3345704e9611f2842eb933dc51c1.tar.bz2
+   http://mirrors.kernel.org/yocto/yocto/yocto-4.0.1/meta-mingw-a90614a6498c3345704e9611f2842eb933dc51c1.tar.bz2
+
+meta-gplv2
+
+-  Repository Location: https://git.yoctoproject.org/git/meta-gplv2
+-  Branch: :yocto_git:`kirkstone </meta-gplv2/log/?h=kirkstone>`
+-  Tag: :yocto_git:`yocto-4.0.1 </meta-gplv2/tag/?h=yocto-4.0.1>`
+-  Git Revision: :yocto_git:`d2f8b5cdb285b72a4ed93450f6703ca27aa42e8a </meta-mingw/commit/?id=d2f8b5cdb285b72a4ed93450f6703ca27aa42e8a>`
+-  Release Artefact: meta-gplv2-d2f8b5cdb285b72a4ed93450f6703ca27aa42e8a
+-  sha: c386f59f8a672747dc3d0be1d4234b6039273d0e57933eb87caa20f56b9cca6d
+-  Download Locations:
+   http://downloads.yoctoproject.org/releases/yocto/yocto-4.0.1/meta-gplv2-d2f8b5cdb285b72a4ed93450f6703ca27aa42e8a.tar.bz2
+   http://mirrors.kernel.org/yocto/yocto/yocto-4.0.1/meta-gplv2-d2f8b5cdb285b72a4ed93450f6703ca27aa42e8a.tar.bz2
+
+bitbake
+
+-  Repository Location: :oe_git:`/bitbake`
+-  Branch: :oe_git:`2.0 </bitbake/log/?h=2.0>`
+-  Tag: :oe_git:`yocto-4.0 </bitbake/tag/?h=yocto-4.0>`
+-  Git Revision: :oe_git:`59c16ae6c55c607c56efd2287537a1b97ba2bf52 </bitbake/commit/?id=59c16ae6c55c607c56efd2287537a1b97ba2bf52>`
+-  Release Artefact: bitbake-59c16ae6c55c607c56efd2287537a1b97ba2bf52
+-  sha: 3ae466c31f738fc45c3d7c6f665952d59f01697f2667ea42f0544d4298dd6ef0
+-  Download Locations:
+   http://downloads.yoctoproject.org/releases/yocto/yocto-4.0.1/bitbake-59c16ae6c55c607c56efd2287537a1b97ba2bf52.tar.bz2,
+   http://mirrors.kernel.org/yocto/yocto/yocto-4.0.1/bitbake-59c16ae6c55c607c56efd2287537a1b97ba2bf52.tar.bz2
+
+yocto-docs
+
+-  Repository Location: https://git.yoctoproject.org/git/yocto-docs
+-  Branch: :yocto_git:`kirkstone </yocto-docs/log/?h=kirkstone>`
+-  Tag: :yocto_git:`yocto-4.0.1 </yocto-docs/tag/?h=yocto-4.0>`
+-  Git Revision: :yocto_git:`4ec9df3336a425719a9a35532504731ce56984ca </yocto-docs/commit/?id=4ec9df3336a425719a9a35532504731ce56984ca>`
--- a/documentation/migration-guides/release-notes-4.0.2.rst
+++ b/documentation/migration-guides/release-notes-4.0.2.rst
@@ -0,0 +1,296 @@
+Release notes for Yocto-4.0.2 (Kirkstone)
+-----------------------------------------
+
+Security Fixes in Yocto-4.0.2
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+-  libxslt: Mark :cve:`2022-29824` as not applying
+-  tiff: Add jbig PACKAGECONFIG and clarify IGNORE :cve:`2022-1210`
+-  tiff: mark :cve:`2022-1622` and :cve:`2022-1623` as invalid
+-  pcre2:fix :cve:`2022-1586` Out-of-bounds read
+-  curl: fix :cve:`2022-22576`, :cve:`2022-27775`, :cve:`2022-27776`, :cve:`2022-27774`, :cve:`2022-30115`, :cve:`2022-27780`, :cve:`2022-27781`, :cve:`2022-27779` and :cve:`2022-27782`
+-  qemu: fix :cve:`2021-4206` and :cve:`2021-4207`
+-  freetype: fix :cve:`2022-27404`, :cve:`2022-27405` and :cve:`2022-27406`
+
+Fixes in Yocto-4.0.2
+~~~~~~~~~~~~~~~~~~~~
+
+-  alsa-plugins: fix libavtp vs. avtp packageconfig
+-  archiver: don't use machine variables in shared recipes
+-  archiver: use bb.note instead of echo
+-  baremetal-image: fix broken symlink in do_rootfs
+-  base-passwd: Disable shell for default users
+-  bash: submit patch upstream
+-  bind: upgrade 9.18.1 -> 9.18.2
+-  binutils: Bump to latest 2.38 release branch
+-  bitbake.conf: Make TCLIBC and TCMODE lazy assigned
+-  bitbake: build: Add clean_stamp API function to allow removal of task stamps
+-  bitbake: data: Do not depend on vardepvalueexclude flag
+-  bitbake: fetch2/osc: Small fixes for osc fetcher
+-  bitbake: server/process: Fix logging issues where only the first message was displayed
+-  build-appliance-image: Update to kirkstone head revision
+-  buildhistory.bbclass: fix shell syntax when using dash
+-  cairo: Add missing GPLv3 license checksum entry
+-  classes: rootfs-postcommands: add skip option to overlayfs_qa_check
+-  cronie: upgrade 1.6.0 -> 1.6.1
+-  cups: upgrade 2.4.1 -> 2.4.2
+-  cve-check.bbclass: Added do_populate_sdk[recrdeptask].
+-  cve-check: Add helper for symlink handling
+-  cve-check: Allow warnings to be disabled
+-  cve-check: Fix report generation
+-  cve-check: Only include installed packages for rootfs manifest
+-  cve-check: add support for Ignored CVEs
+-  cve-check: fix return type in check_cves
+-  cve-check: move update_symlinks to a library
+-  cve-check: write empty fragment files in the text mode
+-  cve-extra-exclusions: Add kernel CVEs
+-  cve-update-db-native: make it possible to disable database updates
+-  devtool: Fix _copy_file() TypeError
+-  e2fsprogs: add alternatives handling of lsattr as well
+-  e2fsprogs: update upstream status
+-  efivar: add musl libc compatibility
+-  epiphany: upgrade 42.0 -> 42.2
+-  ffmpeg: upgrade 5.0 -> 5.0.1
+-  fribidi: upgrade 1.0.11 -> 1.0.12
+-  gcc-cross-canadian: Add nativesdk-zstd dependency
+-  gcc-source: Fix incorrect task dependencies from ${B}
+-  gcc: Upgrade to 11.3 release
+-  gcc: depend on zstd-native
+-  git: fix override syntax in RDEPENDS
+-  glib-2.0: upgrade 2.72.1 -> 2.72.2
+-  glibc: Drop make-native dependency
+-  go: upgrade 1.17.8 -> 1.17.10
+-  gst-devtools: upgrade 1.20.1 -> 1.20.2
+-  gstreamer1.0-libav: upgrade 1.20.1 -> 1.20.2
+-  gstreamer1.0-omx: upgrade 1.20.1 -> 1.20.2
+-  gstreamer1.0-plugins-bad: upgrade 1.20.1 -> 1.20.2
+-  gstreamer1.0-plugins-base: upgrade 1.20.1 -> 1.20.2
+-  gstreamer1.0-plugins-good: upgrade 1.20.1 -> 1.20.2
+-  gstreamer1.0-plugins-ugly: upgrade 1.20.1 -> 1.20.2
+-  gstreamer1.0-python: upgrade 1.20.1 -> 1.20.2
+-  gstreamer1.0-rtsp-server: upgrade 1.20.1 -> 1.20.2
+-  gstreamer1.0-vaapi: upgrade 1.20.1 -> 1.20.2
+-  gstreamer1.0: upgrade 1.20.1 -> 1.20.2
+-  gtk+3: upgrade 3.24.33 -> 3.24.34
+-  gtk-doc: Fix potential shebang overflow on gtkdoc-mkhtml2
+-  image.bbclass: allow overriding dependency on virtual/kernel:do_deploy
+-  insane.bbclass: make sure to close .patch files
+-  iso-codes: upgrade 4.9.0 -> 4.10.0
+-  kernel-yocto.bbclass: Reset to exiting on non-zero return code at end of task
+-  libcgroup: upgrade 2.0.1 -> 2.0.2
+-  liberror-perl: Update sstate/equiv versions to clean cache
+-  libinput: upgrade 1.19.3 -> 1.19.4
+-  libpcre2: upgrade 10.39 -> 10.40
+-  librepo: upgrade 1.14.2 -> 1.14.3
+-  libseccomp: Add missing files for ptests
+-  libseccomp: Correct LIC_FILES_CHKSUM
+-  libxkbcommon: upgrade 1.4.0 -> 1.4.1
+-  libxml2: Upgrade 2.9.13 -> 2.9.14
+-  license.bbclass: Bound beginline and endline in copy_license_files()
+-  license_image.bbclass: Make QA errors fail the build
+-  linux-firmware: add support for building snapshots
+-  linux-firmware: package new Qualcomm firmware
+-  linux-firmware: replace mkdir by install
+-  linux-firmware: split ath3k firmware
+-  linux-firmware: upgrade to 20220610
+-  linux-yocto/5.10: update to v5.10.119
+-  linux-yocto/5.15: Enable MDIO bus config
+-  linux-yocto/5.15: bpf: explicitly disable unpriv eBPF by default
+-  linux-yocto/5.15: cfg/xen: Move x86 configs to separate file
+-  linux-yocto/5.15: update to v5.15.44
+-  local.conf.sample: Update sstate url to new 'all' path
+-  logrotate: upgrade 3.19.0 -> 3.20.1
+-  lttng-modules: Fix build failure for 5.10.119+ and 5.15.44+ kernel
+-  lttng-modules: fix build against 5.18-rc7+
+-  lttng-modules: fix shell syntax
+-  lttng-ust: upgrade 2.13.2 -> 2.13.3
+-  lzo: Add further info to a patch and mark as Inactive-Upstream
+-  makedevs: Don't use COPYING.patch just to add license file into ${S}
+-  manuals: switch to the sstate mirror shared between all versions
+-  mesa.inc: package 00-radv-defaults.conf
+-  mesa: backport a patch to support compositors without zwp_linux_dmabuf_v1 again
+-  mesa: upgrade to 22.0.3
+-  meson.bbclass: add cython binary to cross/native toolchain config
+-  mmc-utils: upgrade to latest revision
+-  mobile-broadband-provider-info: upgrade 20220315 -> 20220511
+-  ncurses: update to patchlevel 20220423
+-  oeqa/selftest/cve_check: add tests for Ignored and partial reports
+-  oeqa/selftest/cve_check: add tests for recipe and image reports
+-  oescripts: change compare logic in OEListPackageconfigTests
+-  openssl: Backport fix for ptest cert expiry
+-  overlayfs: add docs about skipping QA check & service dependencies
+-  ovmf: Fix native build with gcc-12
+-  patch.py: make sure that patches/series file exists before quilt pop
+-  pciutils: avoid lspci conflict with busybox
+-  perl: Add dependency on make-native to avoid race issues
+-  perl: Fix build with gcc-12
+-  poky.conf: bump version for 4.0.2
+-  popt: fix override syntax in RDEPENDS
+-  pypi.bbclass: Set CVE_PRODUCT to PYPI_PACKAGE
+-  python3: Ensure stale empty python module directories don't break the build
+-  python3: Remove problematic paths from sysroot files
+-  python3: fix reproducibility issue with python3-core
+-  python3: use built-in distutils for ptest, rather than setuptools' 'fork'
+-  python: Avoid shebang overflow on python-config.py
+-  rootfs-postcommands.bbclass: correct comments
+-  rootfs.py: close kernel_abi_ver_file
+-  rootfs.py: find .ko.zst kernel modules
+-  rust-common: Drop LLVM_TARGET and simplify
+-  rust-common: Ensure sstate signatures have correct dependencues for do_rust_gen_targets
+-  rust-common: Fix for target definitions returning 'NoneType' for arm
+-  rust-common: Fix native signature dependency issues
+-  rust-common: Fix sstate signatures between arm hf and non-hf
+-  sanity: Don't warn about make 4.2.1 for mint
+-  sanity: Switch to make 4.0 as a minimum version
+-  sed: Specify shell for "nobody" user in run-ptest
+-  selftest/imagefeatures/overlayfs: Always append to DISTRO_FEATURES
+-  selftest/multiconfig: Test that multiconfigs in separate layers works
+-  sqlite3: upgrade to 3.38.5
+-  staging.bbclass: process direct dependencies in deterministic order
+-  staging: Fix rare sysroot corruption issue
+-  strace: Don't run ptest as "nobody"
+-  systemd: Correct 0001-pass-correct-parameters-to-getdents64.patch
+-  systemd: Correct path returned in sd_path_lookup()
+-  systemd: Document future actions needed for set of musl patches
+-  systemd: Drop 0001-test-parse-argument-Include-signal.h.patch
+-  systemd: Drop 0002-don-t-use-glibc-specific-qsort_r.patch
+-  systemd: Drop 0016-Hide-__start_BUS_ERROR_MAP-and-__stop_BUS_ERROR_MAP.patch
+-  systemd: Drop redundant musl patches
+-  systemd: Fix build regression with latest update
+-  systemd: Remove __compare_fn_t type in musl-specific patch
+-  systemd: Update patch status
+-  systemd: systemd-systemctl: Support instance conf files during enable
+-  systemd: update ``0008-add-missing-FTW_-macros-for-musl.patch``
+-  systemd: upgrade 250.4 -> 250.5
+-  uboot-sign: Fix potential index error issues
+-  valgrind: submit arm patches upstream
+-  vim: Upgrade to 8.2.5083
+-  webkitgtk: upgrade to 2.36.3
+-  wic/plugins/rootfs: Fix permissions when splitting rootfs folders across partitions
+-  xwayland: upgrade 22.1.0 -> 22.1.1
+-  xxhash: fix build with gcc 12
+-  zip/unzip: mark all submittable patches as Inactive-Upstream
+
+Known Issues in Yocto-4.0.2
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+- There were build failures at the autobuilder due to a known scp issue on Fedora-36 hosts.
+
+Contributors to Yocto-4.0.2
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+-  Alex Kiernan
+-  Alexander Kanavin
+-  Aryaman Gupta
+-  Bruce Ashfield
+-  Claudius Heine
+-  Davide Gardenal
+-  Dmitry Baryshkov
+-  Ernst Sjöstrand
+-  Felix Moessbauer
+-  Gunjan Gupta
+-  He Zhe
+-  Hitendra Prajapati
+-  Jack Mitchell
+-  Jeremy Puhlman
+-  Jiaqing Zhao
+-  Joerg Vehlow
+-  Jose Quaresma
+-  Kai Kang
+-  Khem Raj
+-  Konrad Weihmann
+-  Marcel Ziswiler
+-  Markus Volk
+-  Marta Rybczynska
+-  Martin Jansa
+-  Michael Opdenacker
+-  Mingli Yu
+-  Naveen Saini
+-  Nick Potenski
+-  Paulo Neves
+-  Pavel Zhukov
+-  Peter Kjellerstedt
+-  Rasmus Villemoes
+-  Richard Purdie
+-  Robert Joslyn
+-  Ross Burton
+-  Samuli Piippo
+-  Sean Anderson
+-  Stefan Wiehler
+-  Steve Sakoman
+-  Sundeep Kokkonda
+-  Tomasz Dziendzielski
+-  Xiaobing Luo
+-  Yi Zhao
+-  leimaohui
+-  wangmy
+
+Repositories / Downloads for Yocto-4.0.2
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+poky
+
+-  Repository Location: https://git.yoctoproject.org/git/poky
+-  Branch: :yocto_git:`kirkstone </poky/log/?h=kirkstone>`
+-  Tag:  :yocto_git:`yocto-4.0.2 </poky/log/?h=yocto-4.0.2>`
+-  Git Revision: :yocto_git:`a5ea426b1da472fc8549459fff3c1b8c6e02f4b5 </poky/commit/?id=a5ea426b1da472fc8549459fff3c1b8c6e02f4b5>`
+-  Release Artefact: poky-a5ea426b1da472fc8549459fff3c1b8c6e02f4b5
+-  sha: 474ddfacfed6661be054c161597a1a5273188dfe021b31d6156955d93c6b7359
+-  Download Locations:
+   http://downloads.yoctoproject.org/releases/yocto/yocto-4.0.2/poky-a5ea426b1da472fc8549459fff3c1b8c6e02f4b5.tar.bz2
+   http://mirrors.kernel.org/yocto/yocto/yocto-4.0.2/poky-a5ea426b1da472fc8549459fff3c1b8c6e02f4b5.tar.bz2
+
+openembedded-core
+
+-  Repository Location: https://git.openembedded.org/openembedded-core
+-  Branch: :oe_git:`kirkstone </openembedded-core/log/?h=kirkstone>`
+-  Tag:  :oe_git:`yocto-4.0.2 </openembedded-core/log/?h=yocto-4.0.2>`
+-  Git Revision: :oe_git:`eea52e0c3d24c79464f4afdbc3c397e1cb982231 </openembedded-core/commit/?id=eea52e0c3d24c79464f4afdbc3c397e1cb982231>`
+-  Release Artefact: oecore-eea52e0c3d24c79464f4afdbc3c397e1cb982231
+-  sha: 252d5c2c2db7e14e7365fcc69d32075720b37d629894bae36305eba047a39907
+-  Download Locations:
+   http://downloads.yoctoproject.org/releases/yocto/yocto-4.0.2/oecore-eea52e0c3d24c79464f4afdbc3c397e1cb982231.tar.bz2
+   http://mirrors.kernel.org/yocto/yocto/yocto-4.0.2/oecore-eea52e0c3d24c79464f4afdbc3c397e1cb982231.tar.bz2
+
+meta-mingw
+
+-  Repository Location: https://git.yoctoproject.org/git/meta-mingw
+-  Branch: :yocto_git:`kirkstone </meta-mingw/log/?h=kirkstone>`
+-  Tag:  :yocto_git:`yocto-4.0.2 </meta-mingw/log/?h=yocto-4.0.2>`
+-  Git Revision: :yocto_git:`a90614a6498c3345704e9611f2842eb933dc51c1 </meta-mingw/commit/?id=a90614a6498c3345704e9611f2842eb933dc51c1>`
+-  Release Artefact: meta-mingw-a90614a6498c3345704e9611f2842eb933dc51c1
+-  sha: 49f9900bfbbc1c68136f8115b314e95d0b7f6be75edf36a75d9bcd1cca7c6302
+-  Download Locations:
+   http://downloads.yoctoproject.org/releases/yocto/yocto-4.0.2/meta-mingw-a90614a6498c3345704e9611f2842eb933dc51c1.tar.bz2
+   http://mirrors.kernel.org/yocto/yocto/yocto-4.0.2/meta-mingw-a90614a6498c3345704e9611f2842eb933dc51c1.tar.bz2
+
+meta-gplv2
+
+-  Repository Location: https://git.yoctoproject.org/git/meta-gplv2
+-  Branch: :yocto_git:`kirkstone </meta-gplv2/log/?h=kirkstone>`
+-  Tag:  :yocto_git:`yocto-4.0.2 </meta-gplv2/log/?h=yocto-4.0.2>`
+-  Git Revision: :yocto_git:`d2f8b5cdb285b72a4ed93450f6703ca27aa42e8a </meta-gplv2/commit/?id=d2f8b5cdb285b72a4ed93450f6703ca27aa42e8a>`
+-  Release Artefact: meta-gplv2-d2f8b5cdb285b72a4ed93450f6703ca27aa42e8a
+-  sha: c386f59f8a672747dc3d0be1d4234b6039273d0e57933eb87caa20f56b9cca6d
+-  Download Locations:
+   http://downloads.yoctoproject.org/releases/yocto/yocto-4.0.2/meta-gplv2-d2f8b5cdb285b72a4ed93450f6703ca27aa42e8a.tar.bz2
+   http://mirrors.kernel.org/yocto/yocto/yocto-4.0.2/meta-gplv2-d2f8b5cdb285b72a4ed93450f6703ca27aa42e8a.tar.bz2
+
+bitbake
+
+-  Repository Location: https://git.openembedded.org/bitbake
+-  Branch: :oe_git:`2.0 </bitbake/log/?h=2.0>`
+-  Tag:  :oe_git:`yocto-4.0.2 </bitbake/log/?h=yocto-4.0.2>`
+-  Git Revision: :oe_git:`b8fd6f5d9959d27176ea016c249cf6d35ac8ba03 </bitbake/commit/?id=b8fd6f5d9959d27176ea016c249cf6d35ac8ba03>`
+-  Release Artefact: bitbake-b8fd6f5d9959d27176ea016c249cf6d35ac8ba03
+-  sha: 373818b1dee2c502264edf654d6d8f857b558865437f080e02d5ba6bb9e72cc3
+-  Download Locations:
+   http://downloads.yoctoproject.org/releases/yocto/yocto-4.0.2/bitbake-b8fd6f5d9959d27176ea016c249cf6d35ac8ba03.tar.bz2
+   http://mirrors.kernel.org/yocto/yocto/yocto-4.0.2/bitbake-b8fd6f5d9959d27176ea016c249cf6d35ac8ba03.tar.bz2
+
+yocto-docs
+
+-  Repository Location: https://git.yoctoproject.org/git/yocto-docs
+-  Branch: :yocto_git:`kirkstone </yocto-docs/log/?h=kirkstone>`
+-  Tag: :yocto_git:`yocto-4.0.2 </yocto-docs/log/?h=yocto-4.0.2>`
+-  Git Revision: :yocto_git:`662294dccd028828d5c7e9fd8f5c8e14df53df4b </yocto-docs/commit/?id=662294dccd028828d5c7e9fd8f5c8e14df53df4b>`
--- a/documentation/migration-guides/release-notes-4.0.3.rst
+++ b/documentation/migration-guides/release-notes-4.0.3.rst
@@ -0,0 +1,314 @@
+Release notes for Yocto-4.0.3 (Kirkstone)
+-----------------------------------------
+
+Security Fixes in Yocto-4.0.3
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+-  binutils: fix :cve:`2019-1010204`
+-  busybox: fix :cve:`2022-30065`
+-  cups: ignore :cve:`2022-26691`
+-  curl: Fix :cve:`2022-32205`, :cve:`2022-32206`, :cve:`2022-32207` and :cve:`2022-32208`
+-  dpkg: fix :cve:`2022-1664`
+-  ghostscript: fix :cve:`2022-2085`
+-  harfbuzz: fix :cve:`2022-33068`
+-  libtirpc: fix :cve:`2021-46828`
+-  lua: fix :cve:`2022-33099`
+-  nasm: ignore :cve:`2020-18974`
+-  qemu: fix :cve:`2022-35414`
+-  qemu: ignore :cve:`2021-20255` and :cve:`2019-12067`
+-  tiff: fix :cve:`2022-1354`, :cve:`2022-1355`, :cve:`2022-2056`, :cve:`2022-2057` and :cve:`2022-2058`
+-  u-boot: fix :cve:`2022-34835`
+-  unzip: fix :cve:`2022-0529` and :cve:`2022-0530`
+
+
+Fixes in Yocto-4.0.3
+~~~~~~~~~~~~~~~~~~~~
+
+-  alsa-state: correct license
+-  at: take tarballs from debian
+-  base.bbclass: Correct the test for obsolete license exceptions
+-  base/reproducible: Change Source Date Epoch generation methods
+-  bin_package: install into base_prefix
+-  bind: Remove legacy python3 PACKAGECONFIG code
+-  bind: upgrade to 9.18.4
+-  binutils: stable 2.38 branch updates
+-  build-appliance-image: Update to kirkstone head revision
+-  cargo_common.bbclass: enable bitbake vendoring for externalsrc
+-  coreutils: Tweak packaging variable names for coreutils-dev
+-  curl: backport openssl fix CN check error code
+-  cve-check: hook cleanup to the BuildCompleted event, not CookerExit
+-  cve-extra-exclusions: Clean up and ignore three CVEs (2xqemu and nasm)
+-  devtool: finish: handle patching when S points to subdir of a git repo
+-  devtool: ignore pn- overrides when determining SRC_URI overrides
+-  docs: BB_HASHSERVE_UPSTREAM: update to new host
+-  dropbear: break dependency on base package for -dev package
+-  efivar: fix import functionality
+-  encodings: update to 1.0.6
+-  epiphany: upgrade to 42.3
+-  externalsrc.bbclass: support crate fetcher on externalsrc
+-  font-util: update 1.3.2 -> 1.3.3
+-  gcc-runtime: Fix build when using gold
+-  gcc-runtime: Fix missing MLPREFIX in debug mappings
+-  gcc-runtime: Pass -nostartfiles when building dummy libstdc++.so
+-  gcc: Backport a fix for gcc bug 105039
+-  git: upgrade to v2.35.4
+-  glib-2.0: upgrade to 2.72.3
+-  glib-networking: upgrade to 2.72.1
+-  glibc : stable 2.35 branch updates
+-  glibc-tests: Avoid reproducibility issues
+-  glibc-tests: not clear BBCLASSEXTEND
+-  glibc: revert one upstream change to work around broken DEBUG_BUILD build
+-  glibc: stable 2.35 branch updates
+-  gnupg: upgrade to 2.3.7
+-  go: upgrade to v1.17.12
+-  gobject-introspection-data: Disable cache for g-ir-scanner
+-  gperf: Add a patch to work around reproducibility issues
+-  gperf: Switch to upstream patch
+-  gst-devtools: upgrade to 1.20.3
+-  gstreamer1.0-libav: upgrade to 1.20.3
+-  gstreamer1.0-omx: upgrade to 1.20.3
+-  gstreamer1.0-plugins-bad: upgrade to 1.20.3
+-  gstreamer1.0-plugins-base: upgrade to 1.20.3
+-  gstreamer1.0-plugins-good: upgrade to 1.20.3
+-  gstreamer1.0-plugins-ugly: upgrade to 1.20.3
+-  gstreamer1.0-python: upgrade to 1.20.3
+-  gstreamer1.0-rtsp-server: upgrade to 1.20.3
+-  gstreamer1.0-vaapi: upgrade to 1.20.3
+-  gstreamer1.0: upgrade to 1.20.3
+-  gtk-doc: Remove hardcoded buildpath
+-  harfbuzz: Fix compilation with clang
+-  initramfs-framework: move storage mounts to actual rootfs
+-  initscripts: run umountnfs as a KILL script
+-  insane.bbclass: host-user-contaminated: Correct per package home path
+-  insane: Fix buildpaths test to work with special devices
+-  kernel-arch: Fix buildpaths leaking into external module compiles
+-  kernel-devsrc: fix reproducibility and buildpaths QA warning
+-  kernel-devsrc: ppc32: fix reproducibility
+-  kernel-uboot.bbclass: Use vmlinux.initramfs when INITRAMFS_IMAGE_BUNDLE set
+-  kernel.bbclass: pass LD also in savedefconfig
+-  libffi: fix native build being not portable
+-  libgcc: Fix standalone target builds with usrmerge distro feature
+-  libmodule-build-perl: Use env utility to find perl interpreter
+-  libsoup: upgrade to 3.0.7
+-  libuv: upgrade to 1.44.2
+-  linux-firmware: upgrade to 20220708
+-  linux-firwmare: restore WHENCE_CHKSUM variable
+-  linux-yocto-rt/5.15: update to -rt48 (and fix -stable merge)
+-  linux-yocto/5.10: fix build_OID_registry/conmakehash buildpaths warning
+-  linux-yocto/5.10: fix buildpaths issue with gen-mach-types
+-  linux-yocto/5.10: fix buildpaths issue with pnmtologo
+-  linux-yocto/5.10: update to v5.10.135
+-  linux-yocto/5.15: drop obselete GPIO sysfs ABI
+-  linux-yocto/5.15: fix build_OID_registry buildpaths warning
+-  linux-yocto/5.15: fix buildpaths issue with gen-mach-types
+-  linux-yocto/5.15: fix buildpaths issue with pnmtologo
+-  linux-yocto/5.15: fix qemuppc buildpaths warning
+-  linux-yocto/5.15: fix reproducibility issues
+-  linux-yocto/5.15: update to v5.15.59
+-  log4cplus: upgrade to 2.0.8
+-  lttng-modules: Fix build failure for kernel v5.15.58
+-  lttng-modules: upgrade to 2.13.4
+-  lua: Fix multilib buildpath reproducibility issues
+-  mkfontscale: upgrade to 1.2.2
+-  oe-selftest-image: Ensure the image has sftp as well as dropbear
+-  oe-selftest: devtool: test modify git recipe building from a subdir
+-  oeqa/runtime/scp: Disable scp test for dropbear
+-  oeqa/runtime: add test that the kernel has CONFIG_PREEMPT_RT enabled
+-  oeqa/sdk: drop the nativesdk-python 2.x test
+-  openssh: Add openssh-sftp-server to openssh RDEPENDS
+-  openssh: break dependency on base package for -dev package
+-  openssl: update to 3.0.5
+-  package.bbclass: Avoid stripping signed kernel modules in splitdebuginfo
+-  package.bbclass: Fix base directory for debugsource files when using externalsrc
+-  package.bbclass: Fix kernel source handling when not using externalsrc
+-  package_manager/ipk: do not pipe stderr to stdout
+-  packagegroup-core-ssh-dropbear: Add openssh-sftp-server recommendation
+-  patch: handle if S points to a subdirectory of a git repo
+-  perf: fix reproducibility in 5.19+
+-  perf: fix reproduciblity in older releases of Linux
+-  perf: sort-pmuevents: really keep array terminators
+-  perl: don't install Makefile.old into perl-ptest
+-  poky.conf: bump version for 4.0.3
+-  pulseaudio: add m4-native to DEPENDS
+-  python3: Backport patch to fix an issue in subinterpreters
+-  qemu: Add PACKAGECONFIG for brlapi
+-  qemu: Avoid accidental librdmacm linkage
+-  qemu: Avoid accidental libvdeplug linkage
+-  qemu: Fix slirp determinism issue
+-  qemu: add PACKAGECONFIG for capstone
+-  recipetool/devtool: Fix python egg whitespace issues in PACKAGECONFIG
+-  ref-manual: variables: remove sphinx directive from literal block
+-  rootfs-postcommands.bbclass: move host-user-contaminated.txt to ${S}
+-  ruby: add PACKAGECONFIG for capstone
+-  rust: fix issue building cross-canadian tools for aarch64 on x86_64
+-  sanity.bbclass: Add ftps to accepted URI protocols for mirrors sanity
+-  selftest/runtime_test/virgl: Disable for all almalinux
+-  sstatesig: Include all dependencies in SPDX task signatures
+-  strace: set COMPATIBLE_HOST for riscv32
+-  systemd: Added base_bindir into pkg_postinst:udev-hwdb.
+-  udev-extraconf/initrdscripts/parted: Rename mount.blacklist -> mount.ignorelist
+-  udev-extraconf/mount.sh: add LABELs to mountpoints
+-  udev-extraconf/mount.sh: ignore lvm in automount
+-  udev-extraconf/mount.sh: only mount devices on hotplug
+-  udev-extraconf/mount.sh: save mount name in our tmp filecache
+-  udev-extraconf: fix some systemd automount issues
+-  udev-extraconf: force systemd-udevd to use shared MountFlags
+-  udev-extraconf: let automount base directory configurable
+-  udev-extraconf:mount.sh: fix a umount issue
+-  udev-extraconf:mount.sh: fix path mismatching issues
+-  vala: Fix on target wrapper buildpaths issue
+-  vala: upgrade to 0.56.2
+-  vim: upgrade to 9.0.0063
+-  waffle: correctly request wayland-scanner executable
+-  webkitgtk: upgrade to 2.36.4
+-  weston: upgrade to 10.0.1
+-  wic/plugins/rootfs: Fix NameError for 'orig_path'
+-  wic: fix WicError message
+-  wireless-regdb: upgrade to 2022.06.06
+-  xdpyinfo: upgrade to 1.3.3
+-  xev: upgrade to 1.2.5
+-  xf86-input-synaptics: upgrade to 1.9.2
+-  xmodmap: upgrade to 1.0.11
+-  xorg-app: Tweak handling of compression changes in SRC_URI
+-  xserver-xorg: upgrade to 21.1.4
+-  xwayland: upgrade to 22.1.3
+-  yocto-bsps/5.10: fix buildpaths issue with gen-mach-types
+-  yocto-bsps/5.10: fix buildpaths issue with pnmtologo
+-  yocto-bsps/5.15: fix buildpaths issue with gen-mach-types
+-  yocto-bsps/5.15: fix buildpaths issue with pnmtologo
+-  yocto-bsps: buildpaths fixes
+-  yocto-bsps: update to v5.10.130
+-  yocto-bsps: buildpaths fixes
+-  yocto-bsps: update to v5.15.54
+
+
+Known Issues in Yocto-4.0.3
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+- N/A
+
+
+Contributors to Yocto-4.0.3
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+-  Ahmed Hossam
+-  Alejandro Hernandez Samaniego
+-  Alex Kiernan
+-  Alexander Kanavin
+-  Bruce Ashfield
+-  Chanho Park
+-  Christoph Lauer
+-  David Bagonyi
+-  Dmitry Baryshkov
+-  He Zhe
+-  Hitendra Prajapati
+-  Jose Quaresma
+-  Joshua Watt
+-  Kai Kang
+-  Khem Raj
+-  Lee Chee Yang
+-  Lucas Stach
+-  Markus Volk
+-  Martin Jansa
+-  Maxime Roussin-Bélanger
+-  Michael Opdenacker
+-  Mihai Lindner
+-  Ming Liu
+-  Mingli Yu
+-  Muhammad Hamza
+-  Naveen
+-  Pascal Bach
+-  Paul Eggleton
+-  Pavel Zhukov
+-  Peter Bergin
+-  Peter Kjellerstedt
+-  Peter Marko
+-  Pgowda
+-  Raju Kumar Pothuraju
+-  Richard Purdie
+-  Robert Joslyn
+-  Ross Burton
+-  Sakib Sajal
+-  Shruthi Ravichandran
+-  Steve Sakoman
+-  Sundeep Kokkonda
+-  Thomas Roos
+-  Tom Hochstein
+-  Wentao Zhang
+-  Yi Zhao
+-  Yue Tao
+-  gr embeter
+-  leimaohui
+-  wangmy
+
+
+Repositories / Downloads for Yocto-4.0.3
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+poky
+
+-  Repository Location: https://git.yoctoproject.org/git/poky
+-  Branch: :yocto_git:`kirkstone </poky/log/?h=kirkstone>`
+-  Tag:  :yocto_git:`yocto-4.0.3 </poky/log/?h=yocto-4.0.3>`
+-  Git Revision: :yocto_git:`387ab5f18b17c3af3e9e30dc58584641a70f359f </poky/commit/?id=387ab5f18b17c3af3e9e30dc58584641a70f359f>`
+-  Release Artefact: poky-387ab5f18b17c3af3e9e30dc58584641a70f359f
+-  sha: fe674186bdb0684313746caa9472134fc19e6f1443c274fe02c06cb1e675b404
+-  Download Locations:
+   http://downloads.yoctoproject.org/releases/yocto/yocto-4.0.3/poky-387ab5f18b17c3af3e9e30dc58584641a70f359f.tar.bz2
+   http://mirrors.kernel.org/yocto/yocto/yocto-4.0.3/poky-387ab5f18b17c3af3e9e30dc58584641a70f359f.tar.bz2
+
+openembedded-core
+
+-  Repository Location: https://git.openembedded.org/openembedded-core
+-  Branch: :oe_git:`kirkstone </openembedded-core/log/?h=kirkstone>`
+-  Tag:  :oe_git:`yocto-4.0.3 </openembedded-core/log/?h=yocto-4.0.3>`
+-  Git Revision: :oe_git:`2cafa6ed5f0aa9df5a120b6353755d56c7c7800d </openembedded-core/commit/?id=2cafa6ed5f0aa9df5a120b6353755d56c7c7800d>`
+-  Release Artefact: oecore-2cafa6ed5f0aa9df5a120b6353755d56c7c7800d
+-  sha: 5181d3e8118c6112936637f01a07308b715e0e3d12c7eba338556747dfcabe92
+-  Download Locations:
+   http://downloads.yoctoproject.org/releases/yocto/yocto-4.0.3/oecore-2cafa6ed5f0aa9df5a120b6353755d56c7c7800d.tar.bz2
+   http://mirrors.kernel.org/yocto/yocto/yocto-4.0.3/oecore-2cafa6ed5f0aa9df5a120b6353755d56c7c7800d.tar.bz2
+
+meta-mingw
+
+-  Repository Location: https://git.yoctoproject.org/git/meta-mingw
+-  Branch: :yocto_git:`kirkstone </meta-mingw/log/?h=kirkstone>`
+-  Tag:  :yocto_git:`yocto-4.0.3 </meta-mingw/log/?h=yocto-4.0.3>`
+-  Git Revision: :yocto_git:`a90614a6498c3345704e9611f2842eb933dc51c1 </meta-mingw/commit/?id=a90614a6498c3345704e9611f2842eb933dc51c1>`
+-  Release Artefact: meta-mingw-a90614a6498c3345704e9611f2842eb933dc51c1
+-  sha: 49f9900bfbbc1c68136f8115b314e95d0b7f6be75edf36a75d9bcd1cca7c6302
+-  Download Locations:
+   http://downloads.yoctoproject.org/releases/yocto/yocto-4.0.3/meta-mingw-a90614a6498c3345704e9611f2842eb933dc51c1.tar.bz2
+   http://mirrors.kernel.org/yocto/yocto/yocto-4.0.3/meta-mingw-a90614a6498c3345704e9611f2842eb933dc51c1.tar.bz2
+
+meta-gplv2
+
+-  Repository Location: https://git.yoctoproject.org/git/meta-gplv2
+-  Branch: :yocto_git:`kirkstone </meta-gplv2/log/?h=kirkstone>`
+-  Tag:  :yocto_git:`yocto-4.0.3 </meta-gplv2/log/?h=yocto-4.0.3>`
+-  Git Revision: :yocto_git:`d2f8b5cdb285b72a4ed93450f6703ca27aa42e8a </meta-gplv2/commit/?id=d2f8b5cdb285b72a4ed93450f6703ca27aa42e8a>`
+-  Release Artefact: meta-gplv2-d2f8b5cdb285b72a4ed93450f6703ca27aa42e8a
+-  sha: c386f59f8a672747dc3d0be1d4234b6039273d0e57933eb87caa20f56b9cca6d
+-  Download Locations:
+   http://downloads.yoctoproject.org/releases/yocto/yocto-4.0.3/meta-gplv2-d2f8b5cdb285b72a4ed93450f6703ca27aa42e8a.tar.bz2
+   http://mirrors.kernel.org/yocto/yocto/yocto-4.0.3/meta-gplv2-d2f8b5cdb285b72a4ed93450f6703ca27aa42e8a.tar.bz2
+
+bitbake
+
+-  Repository Location: https://git.openembedded.org/bitbake
+-  Branch: :oe_git:`2.0 </bitbake/log/?h=2.0>`
+-  Tag:  :oe_git:`yocto-4.0.3 </bitbake/log/?h=yocto-4.0.3>`
+-  Git Revision: :oe_git:`b8fd6f5d9959d27176ea016c249cf6d35ac8ba03 </bitbake/commit/?id=b8fd6f5d9959d27176ea016c249cf6d35ac8ba03>`
+-  Release Artefact: bitbake-b8fd6f5d9959d27176ea016c249cf6d35ac8ba03
+-  sha: 373818b1dee2c502264edf654d6d8f857b558865437f080e02d5ba6bb9e72cc3
+-  Download Locations:
+   http://downloads.yoctoproject.org/releases/yocto/yocto-4.0.3/bitbake-b8fd6f5d9959d27176ea016c249cf6d35ac8ba03.tar.bz2
+   http://mirrors.kernel.org/yocto/yocto/yocto-4.0.3/bitbake-b8fd6f5d9959d27176ea016c249cf6d35ac8ba03.tar.bz2
+
+yocto-docs
+
+-  Repository Location: https://git.yoctoproject.org/git/yocto-docs
+-  Branch: :yocto_git:`kirkstone </yocto-docs/log/?h=kirkstone>`
+-  Tag: :yocto_git:`yocto-4.0.3 </yocto-docs/log/?h=yocto-4.0.3>`
+-  Git Revision: :yocto_git:`d9b3dcf65ef25c06f552482aba460dd16862bf96 </yocto-docs/commit/?id=d9b3dcf65ef25c06f552482aba460dd16862bf96>`
+
--- a/documentation/migration-guides/release-notes-4.0.4.rst
+++ b/documentation/migration-guides/release-notes-4.0.4.rst
@@ -0,0 +1,299 @@
+Release notes for Yocto-4.0.4 (Kirkstone)
+-----------------------------------------
+
+Security Fixes in Yocto-4.0.4
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+-  binutils : fix :cve:`2022-38533`
+-  curl: fix :cve:`2022-35252`
+-  sqlite: fix :cve:`2022-35737`
+-  grub2: fix :cve:`2021-3695`, :cve:`2021-3696`, :cve:`2021-3697`, :cve:`2022-28733`, :cve:`2022-28734` and :cve:`2022-28735`
+-  u-boot: fix :cve:`2022-30552` and :cve:`2022-33967`
+-  libxml2: Ignore :cve:`2016-3709`
+-  libtiff: fix :cve:`2022-34526`
+-  zlib: fix :cve:`2022-37434`
+-  gnutls: fix :cve:`2022-2509`
+-  u-boot: fix :cve:`2022-33103`
+-  qemu: fix :cve:`2021-3507`, :cve:`2021-3929`, :cve:`2021-4158`, :cve:`2022-0216` and :cve:`2022-0358`
+
+
+Fixes in Yocto-4.0.4
+~~~~~~~~~~~~~~~~~~~~
+
+-  apr: Cache configure tests which use AC_TRY_RUN
+-  apr: Use correct strerror_r implementation based on libc type
+-  apt: fix nativesdk-apt build failure during the second time build
+-  archiver.bbclass: remove unsed do_deploy_archives[dirs]
+-  archiver.bbclass: some recipes that uses the kernelsrc bbclass uses the shared source
+-  autoconf: Fix strict prototype errors in generated tests
+-  autoconf: Update K & R stype functions
+-  bind: upgrade to 9.18.5
+-  bitbake.conf: set BB_DEFAULT_UMASK using ??=
+-  bitbake: ConfHandler/BBHandler: Improve comment error messages and add tests
+-  bitbake: ConfHandler: Remove lingering close
+-  bitbake: bb/utils: movefile: use the logger for printing
+-  bitbake: bb/utils: remove: check the path again the expand python glob
+-  bitbake: bitbake-user-manual: Correct description of the ??= operator
+-  bitbake: bitbake-user-manual: npm fetcher: improve description of SRC_URI format
+-  bitbake: bitbake: bitbake-user-manual: hashserv can be accessed on a dedicated domain
+-  bitbake: bitbake: runqueue: add cpu/io pressure regulation
+-  bitbake: bitbake: runqueue: add memory pressure regulation
+-  bitbake: cooker: Drop sre_constants usage
+-  bitbake: doc: bitbake-user-manual: add explicit target for crates fetcher
+-  bitbake: doc: bitbake-user-manual: document npm and npmsw fetchers
+-  bitbake: event.py: ignore exceptions from stdout and sterr operations in atexit
+-  bitbake: fetch2: Ensure directory exists before creating symlink
+-  bitbake: fetch2: gitsm: fix incorrect handling of git submodule relative urls
+-  bitbake: runqueue: Change pressure file warning to a note
+-  bitbake: runqueue: Fix unihash cache mismatch issues
+-  bitbake: toaster: fix kirkstone version
+-  bitbake: utils: Pass lock argument in fileslocked
+-  bluez5: upgrade to 5.65
+-  boost: fix install of fiber shared libraries
+-  cairo: Adapt the license information based on what is being built
+-  classes: cve-check: Get shared database lock
+-  cmake: remove CMAKE_ASM_FLAGS variable in toolchain file
+-  connman: Backports for security fixes
+-  core-image.bbclass: Exclude openssh complementary packages
+-  cracklib: Drop using register keyword
+-  cracklib: upgrade to 2.9.8
+-  create-spdx: Fix supplier field
+-  create-spdx: handle links to inaccessible locations
+-  create-spdx: ignore packing control files from ipk and deb
+-  cve-check: Don't use f-strings
+-  cve-check: close cursors as soon as possible
+-  devtool/upgrade: catch bb.fetch2.decodeurl errors
+-  devtool/upgrade: correctly clean up when recipe filename isn't yet known
+-  devtool: error out when workspace is using old override syntax
+-  ell: upgrade to 0.50
+-  epiphany: upgrade to 42.4
+-  externalsrc: Don't wipe out src dir when EXPORT_FUNCTIONS is used.
+-  gcc-multilib-config: Fix i686 toolchain relocation issues
+-  gcr: Define _GNU_SOURCE
+-  gdk-pixbuf: upgrade to 2.42.9
+-  glib-networking: upgrade to 2.72.2
+-  go: upgrade to v1.17.13
+-  insane.bbclass: Skip patches not in oe-core by full path
+-  iso-codes: upgrade to 4.11.0
+-  kernel-fitimage.bbclass: add padding algorithm property in config nodes
+-  kernel-fitimage.bbclass: only package unique DTBs
+-  kernel: Always set CC and LD for the kernel build
+-  kernel: Use consistent make flags for menuconfig
+-  lib:npm_registry: initial checkin
+-  libatomic-ops: upgrade to 7.6.14
+-  libcap: upgrade to 2.65
+-  libjpeg-turbo: upgrade to 2.1.4
+-  libpam: use /run instead of /var/run in systemd tmpfiles
+-  libtasn1: upgrade to 4.19.0
+-  liburcu: upgrade to 0.13.2
+-  libwebp: upgrade to 1.2.4
+-  libwpe: upgrade to 1.12.3
+-  libxml2: Port gentest.py to Python-3
+-  lighttpd: upgrade to 1.4.66
+-  linux-yocto/5.10: update genericx86* machines to v5.10.135
+-  linux-yocto/5.10: update to v5.10.137
+-  linux-yocto/5.15: update genericx86* machines to v5.15.59
+-  linux-yocto/5.15: update to v5.15.62
+-  linux-yocto: Fix COMPATIBLE_MACHINE regex match
+-  linux-yocto: prepend the the value with a space when append to KERNEL_EXTRA_ARGS
+-  lttng-modules: fix 5.19+ build
+-  lttng-modules: fix build against mips and v5.19 kernel
+-  lttng-modules: fix build for kernel 5.10.137
+-  lttng-modules: replace mips compaction fix with upstream change
+-  lz4: upgrade to 1.9.4
+-  maintainers: update opkg maintainer
+-  meta: introduce UBOOT_MKIMAGE_KERNEL_TYPE
+-  migration guides: add missing release notes
+-  mobile-broadband-provider-info: upgrade to 20220725
+-  nativesdk: Clear TUNE_FEATURES
+-  npm: replace 'npm pack' call by 'tar czf'
+-  npm: return content of 'package.json' in 'npm_pack'
+-  npm: take 'version' directly from 'package.json'
+-  npm: use npm_registry to cache package
+-  oeqa/gotoolchain: put writable files in the Go module cache
+-  oeqa/gotoolchain: set CGO_ENABLED=1
+-  oeqa/parselogs: add qemuarmv5 arm-charlcd masking
+-  oeqa/qemurunner: add run_serial() comment
+-  oeqa/selftest: rename git.py to intercept.py
+-  oeqa: qemurunner: Report UNIX Epoch timestamp on login
+-  package_rpm: Do not replace square brackets in %files
+-  packagegroup-self-hosted: update for strace
+-  parselogs: Ignore xf86OpenConsole error
+-  perf: Fix reproducibility issues with 5.19 onwards
+-  pinentry: enable _XOPEN_SOURCE on musl for wchar usage in curses
+-  poky.conf: add ubuntu-22.04 to tested distros
+-  poky.conf: bump version for 4.0.4
+-  pseudo: Update to include recent upstream minor fixes
+-  python3-pip: Fix RDEPENDS after the update
+-  ref-manual: add numa to machine features
+-  relocate_sdk.py: ensure interpreter size error causes relocation to fail
+-  rootfs-postcommands.bbclass: avoid moving ssh host keys if etc is writable
+-  rootfs.py: dont try to list installed packages for baremetal images
+-  rootfspostcommands.py: Cleanup subid backup files generated by shadow-utils
+-  ruby: drop capstone support
+-  runqemu: Add missing space on default display option
+-  runqemu: display host uptime when starting
+-  sanity: add a comment to ensure CONNECTIVITY_CHECK_URIS is correct
+-  scripts/oe-setup-builddir: make it known where configurations come from
+-  scripts/runqemu.README: fix typos and trailing whitespaces
+-  selftest/wic: Tweak test case to not depend on kernel size
+-  shadow: Avoid nss warning/error with musl
+-  shadow: Enable subid support
+-  system-requirements.rst: Add Ubuntu 22.04 to list of supported distros
+-  systemd: Add 'no-dns-fallback' PACKAGECONFIG option
+-  systemd: Fix unwritable /var/lock when no sysvinit handling
+-  sysvinit-inittab/start_getty: Fix respawn too fast
+-  tcp-wrappers: Fix implicit-function-declaration warnings
+-  tzdata: upgrade to 2022b
+-  util-linux: Remove --enable-raw from EXTRA_OECONF
+-  vala: upgrade to 0.56.3
+-  vim: Upgrade to 9.0.0453
+-  watchdog: Include needed system header for function decls
+-  webkitgtk: upgrade to 2.36.5
+-  weston: upgrade to 10.0.2
+-  wic/bootimg-efi: use cross objcopy when building unified kernel image
+-  wic: add target tools to PATH when executing native commands
+-  wic: depend on cross-binutils
+-  wireless-regdb: upgrade to 2022.08.12
+-  wpebackend-fdo: upgrade to 1.12.1
+-  xinetd: Pass missing -D_GNU_SOURCE
+-  xz: update to 5.2.6
+
+
+Known Issues in Yocto-4.0.4
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+- N/A
+
+
+Contributors to Yocto-4.0.4
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+-  Alejandro Hernandez Samaniego
+-  Alex Stewart
+-  Alexander Kanavin
+-  Alexandre Belloni
+-  Andrei Gherzan
+-  Anuj Mittal
+-  Aryaman Gupta
+-  Awais Belal
+-  Beniamin Sandu
+-  Bertrand Marquis
+-  Bruce Ashfield
+-  Changqing Li
+-  Chee Yang Lee
+-  Daiane Angolini
+-  Enrico Scholz
+-  Ernst Sjöstrand
+-  Gennaro Iorio
+-  Hitendra Prajapati
+-  Jacob Kroon
+-  Jon Mason
+-  Jose Quaresma
+-  Joshua Watt
+-  Kai Kang
+-  Khem Raj
+-  Kristian Amlie
+-  LUIS ENRIQUEZ
+-  Mark Hatle
+-  Martin Beeger
+-  Martin Jansa
+-  Mateusz Marciniec
+-  Michael Opdenacker
+-  Mihai Lindner
+-  Mikko Rapeli
+-  Ming Liu
+-  Niko Mauno
+-  Ola x Nilsson
+-  Otavio Salvador
+-  Paul Eggleton
+-  Pavel Zhukov
+-  Peter Bergin
+-  Peter Kjellerstedt
+-  Peter Marko
+-  Rajesh Dangi
+-  Randy MacLeod
+-  Rasmus Villemoes
+-  Richard Purdie
+-  Robert Joslyn
+-  Roland Hieber
+-  Ross Burton
+-  Sakib Sajal
+-  Shubham Kulkarni
+-  Steve Sakoman
+-  Ulrich Ölmann
+-  Yang Xu
+-  Yongxin Liu
+-  ghassaneben
+-  pgowda
+-  wangmy
+
+Repositories / Downloads for Yocto-4.0.4
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+poky
+
+-  Repository Location: https://git.yoctoproject.org/git/poky
+-  Branch: :yocto_git:`kirkstone </poky/log/?h=kirkstone>`
+-  Tag:  :yocto_git:`yocto-4.0.4 </poky/log/?h=yocto-4.0.4>`
+-  Git Revision: :yocto_git:`d64bef1c7d713b92a51228e5ade945835e5a94a4 </poky/commit/?id=d64bef1c7d713b92a51228e5ade945835e5a94a4>`
+-  Release Artefact: poky-d64bef1c7d713b92a51228e5ade945835e5a94a4
+-  sha: b5e92506b31f88445755bad2f45978b747ad1a5bea66ca897370542df5f1e7db
+-  Download Locations:
+   http://downloads.yoctoproject.org/releases/yocto/yocto-4.0.4/poky-d64bef1c7d713b92a51228e5ade945835e5a94a4.tar.bz2
+   http://mirrors.kernel.org/yocto/yocto/yocto-4.0.4/poky-d64bef1c7d713b92a51228e5ade945835e5a94a4.tar.bz2
+
+openembedded-core
+
+-  Repository Location: https://git.openembedded.org/openembedded-core
+-  Branch: :oe_git:`kirkstone </openembedded-core/log/?h=kirkstone>`
+-  Tag:  :oe_git:`yocto-4.0.4 </openembedded-core/log/?h=yocto-4.0.4>`
+-  Git Revision: :oe_git:`f7766da462905ec67bf549d46b8017be36cd5b2a </openembedded-core/commit/?id=f7766da462905ec67bf549d46b8017be36cd5b2a>`
+-  Release Artefact: oecore-f7766da462905ec67bf549d46b8017be36cd5b2a
+-  sha: ce0ac011474db5e5f0bb1be3fb97f890a02e46252a719dbcac5813268e48ff16
+-  Download Locations:
+   http://downloads.yoctoproject.org/releases/yocto/yocto-4.0.4/oecore-f7766da462905ec67bf549d46b8017be36cd5b2a.tar.bz2
+   http://mirrors.kernel.org/yocto/yocto/yocto-4.0.4/oecore-f7766da462905ec67bf549d46b8017be36cd5b2a.tar.bz2
+
+meta-mingw
+
+-  Repository Location: https://git.yoctoproject.org/git/meta-mingw
+-  Branch: :yocto_git:`kirkstone </meta-mingw/log/?h=kirkstone>`
+-  Tag:  :yocto_git:`yocto-4.0.4 </meta-mingw/log/?h=yocto-4.0.4>`
+-  Git Revision: :yocto_git:`a90614a6498c3345704e9611f2842eb933dc51c1 </meta-mingw/commit/?id=a90614a6498c3345704e9611f2842eb933dc51c1>`
+-  Release Artefact: meta-mingw-a90614a6498c3345704e9611f2842eb933dc51c1
+-  sha: 49f9900bfbbc1c68136f8115b314e95d0b7f6be75edf36a75d9bcd1cca7c6302
+-  Download Locations:
+   http://downloads.yoctoproject.org/releases/yocto/yocto-4.0.4/meta-mingw-a90614a6498c3345704e9611f2842eb933dc51c1.tar.bz2
+   http://mirrors.kernel.org/yocto/yocto/yocto-4.0.4/meta-mingw-a90614a6498c3345704e9611f2842eb933dc51c1.tar.bz2
+
+meta-gplv2
+
+-  Repository Location: https://git.yoctoproject.org/git/meta-gplv2
+-  Branch: :yocto_git:`kirkstone </meta-gplv2/log/?h=kirkstone>`
+-  Tag:  :yocto_git:`yocto-4.0.4 </meta-gplv2/log/?h=yocto-4.0.4>`
+-  Git Revision: :yocto_git:`d2f8b5cdb285b72a4ed93450f6703ca27aa42e8a </meta-gplv2/commit/?id=d2f8b5cdb285b72a4ed93450f6703ca27aa42e8a>`
+-  Release Artefact: meta-gplv2-d2f8b5cdb285b72a4ed93450f6703ca27aa42e8a
+-  sha: c386f59f8a672747dc3d0be1d4234b6039273d0e57933eb87caa20f56b9cca6d
+-  Download Locations:
+   http://downloads.yoctoproject.org/releases/yocto/yocto-4.0.4/meta-gplv2-d2f8b5cdb285b72a4ed93450f6703ca27aa42e8a.tar.bz2
+   http://mirrors.kernel.org/yocto/yocto/yocto-4.0.4/meta-gplv2-d2f8b5cdb285b72a4ed93450f6703ca27aa42e8a.tar.bz2
+
+bitbake
+
+-  Repository Location: https://git.openembedded.org/bitbake
+-  Branch: :oe_git:`2.0 </bitbake/log/?h=2.0>`
+-  Tag:  :oe_git:`yocto-4.0.4 </bitbake/log/?h=yocto-4.0.4>`
+-  Git Revision: :oe_git:`ac576d6fad6bba0cfea931883f25264ea83747ca </bitbake/commit/?id=ac576d6fad6bba0cfea931883f25264ea83747ca>`
+-  Release Artefact: bitbake-ac576d6fad6bba0cfea931883f25264ea83747ca
+-  sha: 526c2768874eeda61ade8c9ddb3113c90d36ef44a026d6690f02de6f3dd0ea12
+-  Download Locations:
+   http://downloads.yoctoproject.org/releases/yocto/yocto-4.0.4/bitbake-ac576d6fad6bba0cfea931883f25264ea83747ca.tar.bz2
+   http://mirrors.kernel.org/yocto/yocto/yocto-4.0.4/bitbake-ac576d6fad6bba0cfea931883f25264ea83747ca.tar.bz2
+
+yocto-docs
+
+-  Repository Location: https://git.yoctoproject.org/git/yocto-docs
+-  Branch: :yocto_git:`kirkstone </yocto-docs/log/?h=kirkstone>`
+-  Tag: :yocto_git:`yocto-4.0.4 </yocto-docs/log/?h=yocto-4.0.4>`
+-  Git Revision: :yocto_git:`f632dad24c39778f948014029e74db3c871d9d21 </yocto-docs/commit/?id=f632dad24c39778f948014029e74db3c871d9d21>`
--- a/documentation/poky.yaml.in
+++ b/documentation/poky.yaml.in
@@ -44,4 +44,5 @@ PIP3_HOST_PACKAGES_DOC : "$ sudo pip3 install sphinx sphinx_rtd_theme pyyaml"
 MIN_PYTHON_VERSION : "3.6.0"
 MIN_TAR_VERSION : "1.28"
 MIN_GIT_VERSION : "1.8.3.1"
-MIN_GCC_VERSION : "5.0"
+MIN_GCC_VERSION : "7.5"
+MIN_MAKE_VERSION : "4.0"
--- a/documentation/ref-manual/features.rst
+++ b/documentation/ref-manual/features.rst
@@ -62,6 +62,8 @@ Project metadata:

 -  *keyboard:* Hardware has a keyboard

+-  *numa:* Hardware has non-uniform memory access
+
 -  *pcbios:* Support for booting through BIOS

 -  *pci:* Hardware has a PCI bus
--- a/documentation/ref-manual/system-requirements.rst
+++ b/documentation/ref-manual/system-requirements.rst
@@ -41,6 +41,8 @@ distributions:

 -  Ubuntu 20.04 (LTS)

+-  Ubuntu 22.04 (LTS)
+
 -  Fedora 34

 -  Fedora 35
--- a/meta-poky/conf/distro/poky.conf
+++ b/meta-poky/conf/distro/poky.conf
@@ -1,7 +1,7 @@
 DISTRO = "poky"
 DISTRO_NAME = "Poky (Yocto Project Reference Distro)"
 #DISTRO_VERSION = "3.4+snapshot-${METADATA_REVISION}"
-DISTRO_VERSION = "4.0.3"
+DISTRO_VERSION = "4.0.5"
 DISTRO_CODENAME = "kirkstone"
 SDK_VENDOR = "-pokysdk"
 SDK_VERSION = "${@d.getVar('DISTRO_VERSION').replace('snapshot-${METADATA_REVISION}', 'snapshot')}"
@@ -38,6 +38,7 @@ SANITY_TESTED_DISTROS ?= " \
            ubuntu-18.04 \n \
            ubuntu-20.04 \n \
            ubuntu-21.10 \n \
+            ubuntu-22.04 \n \
            fedora-34 \n \
            fedora-35 \n \
            centos-7 \n \
--- a/meta-poky/conf/local.conf.sample
+++ b/meta-poky/conf/local.conf.sample
@@ -229,7 +229,7 @@ BB_DISKMON_DIRS ??= "\
 # which will depend on your network.
 # Note: For this to work you also need hash-equivalence passthrough to the matching server
 #
-#BB_HASHSERVE_UPSTREAM = "typhoon.yocto.io:8687"
+#BB_HASHSERVE_UPSTREAM = "hashserv.yocto.io:8687"
 #SSTATE_MIRRORS ?= "file://.* http://sstate.yoctoproject.org/all/PATH;downloadfilename=PATH"

 #
--- a/meta-yocto-bsp/recipes-kernel/linux/linux-yocto_5.10.bbappend
+++ b/meta-yocto-bsp/recipes-kernel/linux/linux-yocto_5.10.bbappend
@@ -7,8 +7,8 @@ KMACHINE:genericx86 ?= "common-pc"
 KMACHINE:genericx86-64 ?= "common-pc-64"
 KMACHINE:beaglebone-yocto ?= "beaglebone"

-SRCREV_machine:genericx86 ?= "2883e69e202dc7948c99a7828e192b2b42c2d90a"
-SRCREV_machine:genericx86-64 ?= "2883e69e202dc7948c99a7828e192b2b42c2d90a"
+SRCREV_machine:genericx86 ?= "d09b184cbc0321794bda715ab560dec077a048d0"
+SRCREV_machine:genericx86-64 ?= "d09b184cbc0321794bda715ab560dec077a048d0"
 SRCREV_machine:edgerouter ?= "7c9332d91089ee63581be6cd3e7197c9d3e9a883"
 SRCREV_machine:beaglebone-yocto ?= "3c44f12b9de336579d00ac0105852f4cbf7e8b7d"

@@ -17,7 +17,7 @@ COMPATIBLE_MACHINE:genericx86-64 = "genericx86-64"
 COMPATIBLE_MACHINE:edgerouter = "edgerouter"
 COMPATIBLE_MACHINE:beaglebone-yocto = "beaglebone-yocto"

-LINUX_VERSION:genericx86 = "5.10.130"
-LINUX_VERSION:genericx86-64 = "5.10.130"
+LINUX_VERSION:genericx86 = "5.10.135"
+LINUX_VERSION:genericx86-64 = "5.10.135"
 LINUX_VERSION:edgerouter = "5.10.130"
 LINUX_VERSION:beaglebone-yocto = "5.10.130"
--- a/meta-yocto-bsp/recipes-kernel/linux/linux-yocto_5.15.bbappend
+++ b/meta-yocto-bsp/recipes-kernel/linux/linux-yocto_5.15.bbappend
@@ -7,8 +7,8 @@ KMACHINE:genericx86 ?= "common-pc"
 KMACHINE:genericx86-64 ?= "common-pc-64"
 KMACHINE:beaglebone-yocto ?= "beaglebone"

-SRCREV_machine:genericx86 ?= "a40d2daf2795d89e3ef8af0413b25190558831ec"
-SRCREV_machine:genericx86-64 ?= "a40d2daf2795d89e3ef8af0413b25190558831ec"
+SRCREV_machine:genericx86 ?= "efe20512212b0e85b5f884b1bfc8fbba2b43541a"
+SRCREV_machine:genericx86-64 ?= "efe20512212b0e85b5f884b1bfc8fbba2b43541a"
 SRCREV_machine:edgerouter ?= "90f1ee6589264545f548d731c2480b08a007230f"
 SRCREV_machine:beaglebone-yocto ?= "9aabbaa89fcb21af7028e814c1f5b61171314d5a"

@@ -17,7 +17,7 @@ COMPATIBLE_MACHINE:genericx86-64 = "genericx86-64"
 COMPATIBLE_MACHINE:edgerouter = "edgerouter"
 COMPATIBLE_MACHINE:beaglebone-yocto = "beaglebone-yocto"

-LINUX_VERSION:genericx86 = "5.15.54"
-LINUX_VERSION:genericx86-64 = "5.15.54"
+LINUX_VERSION:genericx86 = "5.15.59"
+LINUX_VERSION:genericx86-64 = "5.15.59"
 LINUX_VERSION:edgerouter = "5.15.54"
 LINUX_VERSION:beaglebone-yocto = "5.15.54"
--- a/meta/classes/archiver.bbclass
+++ b/meta/classes/archiver.bbclass
@@ -69,7 +69,6 @@ SSTATE_ALLOW_OVERLAP_FILES += "${DEPLOY_DIR_SRC}/mirror"
 do_dumpdata[dirs] = "${ARCHIVER_OUTDIR}"
 do_ar_recipe[dirs] = "${ARCHIVER_OUTDIR}"
 do_ar_original[dirs] = "${ARCHIVER_OUTDIR} ${ARCHIVER_WORKDIR}"
-do_deploy_archives[dirs] = "${WORKDIR}"

 # This is a convenience for the shell script to use it

@@ -460,7 +459,9 @@ def create_diff_gz(d, src_orig, src, ar_outdir):

 def is_work_shared(d):
    pn = d.getVar('PN')
-    return bb.data.inherits_class('kernel', d) or pn.startswith('gcc-source')
+    return pn.startswith('gcc-source') or \
+        bb.data.inherits_class('kernel', d) or \
+        (bb.data.inherits_class('kernelsrc', d) and d.getVar('S') == d.getVar('STAGING_KERNEL_DIR'))

 # Run do_unpack and do_patch
 python do_unpack_and_patch() {
--- a/meta/classes/core-image.bbclass
+++ b/meta/classes/core-image.bbclass
@@ -59,6 +59,10 @@ FEATURE_PACKAGES_hwcodecs = "${MACHINE_HWCODECS}"
 # IMAGE_FEATURES_REPLACES_foo = 'bar1 bar2'
 # Including image feature foo would replace the image features bar1 and bar2
 IMAGE_FEATURES_REPLACES_ssh-server-openssh = "ssh-server-dropbear"
+# Do not install openssh complementary packages if either packagegroup-core-ssh-dropbear or dropbear
+# is installed # to avoid openssh-dropbear conflict
+# see [Yocto #14858] for more information
+PACKAGE_EXCLUDE_COMPLEMENTARY:append = "${@bb.utils.contains_any('PACKAGE_INSTALL', 'packagegroup-core-ssh-dropbear dropbear', 'openssh', '' , d)}"

 # IMAGE_FEATURES_CONFLICTS_foo = 'bar1 bar2'
 # An error exception would be raised if both image features foo and bar1(or bar2) are included
--- a/meta/classes/create-spdx.bbclass
+++ b/meta/classes/create-spdx.bbclass
@@ -210,7 +210,7 @@ def add_package_files(d, doc, spdx_pkg, topdir, get_spdxid, get_types, *, archiv
            filepath = Path(subdir) / file
            filename = str(filepath.relative_to(topdir))

-            if filepath.is_file() and not filepath.is_symlink():
+            if not filepath.is_symlink() and filepath.is_file():
                spdx_file = oe.spdx.SPDXFile()
                spdx_file.SPDXID = get_spdxid(file_counter)
                for t in get_types(filepath):
@@ -445,7 +445,7 @@ python do_create_spdx() {
    recipe.name = d.getVar("PN")
    recipe.versionInfo = d.getVar("PV")
    recipe.SPDXID = oe.sbom.get_recipe_spdxid(d)
-    recipe.packageSupplier = d.getVar("SPDX_SUPPLIER")
+    recipe.supplier = d.getVar("SPDX_SUPPLIER")
    if bb.data.inherits_class("native", d) or bb.data.inherits_class("cross", d):
        recipe.annotations.append(create_annotation(d, "isNative"))

@@ -555,7 +555,7 @@ python do_create_spdx() {
            spdx_package.name = pkg_name
            spdx_package.versionInfo = d.getVar("PV")
            spdx_package.licenseDeclared = convert_license_to_spdx(package_license, package_doc, d, found_licenses)
-            spdx_package.packageSupplier = d.getVar("SPDX_SUPPLIER")
+            spdx_package.supplier = d.getVar("SPDX_SUPPLIER")

            package_doc.packages.append(spdx_package)

@@ -571,6 +571,7 @@ python do_create_spdx() {
                    pkgdest / package,
                    lambda file_counter: oe.sbom.get_packaged_file_spdxid(pkg_name, file_counter),
                    lambda filepath: ["BINARY"],
+                    ignore_top_level_dirs=['CONTROL', 'DEBIAN'],
                    archive=archive,
                )

@@ -895,7 +896,7 @@ def combine_spdx(d, rootfs_name, rootfs_deploydir, rootfs_spdxid, packages):
    image.name = d.getVar("PN")
    image.versionInfo = d.getVar("PV")
    image.SPDXID = rootfs_spdxid
-    image.packageSupplier = d.getVar("SPDX_SUPPLIER")
+    image.supplier = d.getVar("SPDX_SUPPLIER")

    doc.packages.append(image)

--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -139,17 +139,18 @@ python do_cve_check () {
    """
    from oe.cve_check import get_patched_cves

-    if os.path.exists(d.getVar("CVE_CHECK_DB_FILE")):
-        try:
-            patched_cves = get_patched_cves(d)
-        except FileNotFoundError:
-            bb.fatal("Failure in searching patches")
-        ignored, patched, unpatched, status = check_cves(d, patched_cves)
-        if patched or unpatched or (d.getVar("CVE_CHECK_COVERAGE") == "1" and status):
-            cve_data = get_cve_info(d, patched + unpatched + ignored)
-            cve_write_data(d, patched, unpatched, ignored, cve_data, status)
-    else:
-        bb.note("No CVE database found, skipping CVE check")
+    with bb.utils.fileslocked([d.getVar("CVE_CHECK_DB_FILE_LOCK")], shared=True):
+        if os.path.exists(d.getVar("CVE_CHECK_DB_FILE")):
+            try:
+                patched_cves = get_patched_cves(d)
+            except FileNotFoundError:
+                bb.fatal("Failure in searching patches")
+            ignored, patched, unpatched, status = check_cves(d, patched_cves)
+            if patched or unpatched or (d.getVar("CVE_CHECK_COVERAGE") == "1" and status):
+                cve_data = get_cve_info(d, patched + unpatched + ignored)
+                cve_write_data(d, patched, unpatched, ignored, cve_data, status)
+        else:
+            bb.note("No CVE database found, skipping CVE check")

 }

@@ -290,7 +291,8 @@ def check_cves(d, patched_cves):
            vendor = "%"

        # Find all relevant CVE IDs.
-        for cverow in conn.execute("SELECT DISTINCT ID FROM PRODUCTS WHERE PRODUCT IS ? AND VENDOR LIKE ?", (product, vendor)):
+        cve_cursor = conn.execute("SELECT DISTINCT ID FROM PRODUCTS WHERE PRODUCT IS ? AND VENDOR LIKE ?", (product, vendor))
+        for cverow in cve_cursor:
            cve = cverow[0]

            if cve in cve_ignore:
@@ -309,7 +311,8 @@ def check_cves(d, patched_cves):
            vulnerable = False
            ignored = False

-            for row in conn.execute("SELECT * FROM PRODUCTS WHERE ID IS ? AND PRODUCT IS ? AND VENDOR LIKE ?", (cve, product, vendor)):
+            product_cursor = conn.execute("SELECT * FROM PRODUCTS WHERE ID IS ? AND PRODUCT IS ? AND VENDOR LIKE ?", (cve, product, vendor))
+            for row in product_cursor:
                (_, _, _, version_start, operator_start, version_end, operator_end) = row
                #bb.debug(2, "Evaluating row " + str(row))
                if cve in cve_ignore:
@@ -353,10 +356,12 @@ def check_cves(d, patched_cves):
                        bb.note("%s-%s is vulnerable to %s" % (pn, real_pv, cve))
                        cves_unpatched.append(cve)
                    break
+            product_cursor.close()

            if not vulnerable:
                bb.note("%s-%s is not vulnerable to %s" % (pn, real_pv, cve))
                patched_cves.add(cve)
+        cve_cursor.close()

        if not cves_in_product:
            bb.note("No CVE records found for product %s, pn %s" % (product, pn))
@@ -381,14 +386,15 @@ def get_cve_info(d, cves):
    conn = sqlite3.connect(db_file, uri=True)

    for cve in cves:
-        for row in conn.execute("SELECT * FROM NVD WHERE ID IS ?", (cve,)):
+        cursor = conn.execute("SELECT * FROM NVD WHERE ID IS ?", (cve,))
+        for row in cursor:
            cve_data[row[0]] = {}
            cve_data[row[0]]["summary"] = row[1]
            cve_data[row[0]]["scorev2"] = row[2]
            cve_data[row[0]]["scorev3"] = row[3]
            cve_data[row[0]]["modified"] = row[4]
            cve_data[row[0]]["vector"] = row[5]
-
+        cursor.close()
    conn.close()
    return cve_data

--- a/meta/classes/externalsrc.bbclass
+++ b/meta/classes/externalsrc.bbclass
@@ -90,16 +90,18 @@ python () {
                # Since configure will likely touch ${S}, ensure only we lock so one task has access at a time
                d.appendVarFlag(task, "lockfiles", " ${S}/singletask.lock")

-            for funcname in [task, "base_" + task, "kernel_" + task]:
+        for v in d.keys():
+            cleandirs = d.getVarFlag(v, "cleandirs", False)
+            if cleandirs:
                # We do not want our source to be wiped out, ever (kernel.bbclass does this for do_clean)
-                cleandirs = oe.recipeutils.split_var_value(d.getVarFlag(funcname, 'cleandirs', False) or '')
+                cleandirs = oe.recipeutils.split_var_value(cleandirs)
                setvalue = False
                for cleandir in cleandirs[:]:
                    if oe.path.is_path_parent(externalsrc, d.expand(cleandir)):
                        cleandirs.remove(cleandir)
                        setvalue = True
                if setvalue:
-                    d.setVarFlag(funcname, 'cleandirs', ' '.join(cleandirs))
+                    d.setVarFlag(v, 'cleandirs', ' '.join(cleandirs))

        fetch_tasks = ['do_fetch', 'do_unpack']
        # If we deltask do_patch, there's no dependency to ensure do_unpack gets run, so add one
--- a/meta/classes/image_types_wic.bbclass
+++ b/meta/classes/image_types_wic.bbclass
@@ -84,6 +84,8 @@ do_image_wic[deptask] += "do_image_complete"

 WKS_FILE_DEPENDS_DEFAULT = '${@bb.utils.contains_any("BUILD_ARCH", [ 'x86_64', 'i686' ], "syslinux-native", "",d)}'
 WKS_FILE_DEPENDS_DEFAULT += "bmap-tools-native cdrtools-native btrfs-tools-native squashfs-tools-native e2fsprogs-native"
+# Unified kernel images need objcopy
+WKS_FILE_DEPENDS_DEFAULT += "virtual/${MLPREFIX}${TARGET_PREFIX}binutils"
 WKS_FILE_DEPENDS_BOOTLOADERS = ""
 WKS_FILE_DEPENDS_BOOTLOADERS:x86 = "syslinux grub-efi systemd-boot os-release"
 WKS_FILE_DEPENDS_BOOTLOADERS:x86-64 = "syslinux grub-efi systemd-boot os-release"
--- a/meta/classes/insane.bbclass
+++ b/meta/classes/insane.bbclass
@@ -1196,11 +1196,12 @@ python do_qa_patch() {
    import re
    from oe import patch

+    coremeta_path = os.path.join(d.getVar('COREBASE'), 'meta', '')
    for url in patch.src_patches(d):
       (_, _, fullpath, _, _, _) = bb.fetch.decodeurl(url)

       # skip patches not in oe-core
-       if '/meta/' not in fullpath:
+       if not os.path.abspath(fullpath).startswith(coremeta_path):
           continue

       kinda_status_re = re.compile(r"^.*upstream.*status.*$", re.IGNORECASE | re.MULTILINE)
--- a/meta/classes/kernel-fitimage.bbclass
+++ b/meta/classes/kernel-fitimage.bbclass
@@ -148,7 +148,7 @@ fitimage_emit_section_kernel() {
                kernel-$2 {
                        description = "Linux kernel";
                        data = /incbin/("$3");
-                        type = "kernel";
+                        type = "${UBOOT_MKIMAGE_KERNEL_TYPE}";
                        arch = "${UBOOT_ARCH}";
                        os = "linux";
                        compression = "$4";
@@ -346,6 +346,7 @@ fitimage_emit_section_config() {

 	conf_csum="${FIT_HASH_ALG}"
 	conf_sign_algo="${FIT_SIGN_ALG}"
+	conf_padding_algo="${FIT_PAD_ALG}"
 	if [ "${UBOOT_SIGN_ENABLE}" = "1" ] ; then
 		conf_sign_keyname="${UBOOT_SIGN_KEYNAME}"
 	fi
@@ -465,6 +466,7 @@ EOF
                        signature-1 {
                                algo = "$conf_csum,$conf_sign_algo";
                                key-name-hint = "$conf_sign_keyname";
+                                padding = "$conf_padding_algo";
                                $sign_line
                        };
 EOF
@@ -527,6 +529,10 @@ fitimage_assemble() {
 			fi

 			DTB=$(echo "$DTB" | tr '/' '_')
+
+			# Skip DTB if we've picked it up previously
+			echo "$DTBS" | tr ' ' '\n' | grep -xq "$DTB" && continue
+
 			DTBS="$DTBS $DTB"
 			fitimage_emit_section_dtb $1 $DTB $DTB_PATH
 		done
@@ -536,6 +542,10 @@ fitimage_assemble() {
 		dtbcount=1
 		for DTB in $(find "${EXTERNAL_KERNEL_DEVICETREE}" \( -name '*.dtb' -o -name '*.dtbo' \) -printf '%P\n' | sort); do
 			DTB=$(echo "$DTB" | tr '/' '_')
+
+			# Skip DTB if we've picked it up previously
+			echo "$DTBS" | tr ' ' '\n' | grep -xq "$DTB" && continue
+
 			DTBS="$DTBS $DTB"
 			fitimage_emit_section_dtb $1 $DTB "${EXTERNAL_KERNEL_DEVICETREE}/$DTB"
 		done
--- a/meta/classes/kernel-uboot.bbclass
+++ b/meta/classes/kernel-uboot.bbclass
@@ -2,6 +2,9 @@
 FIT_KERNEL_COMP_ALG ?= "gzip"
 FIT_KERNEL_COMP_ALG_EXTENSION ?= ".gz"

+# Kernel image type passed to mkimage (i.e. kernel kernel_noload...)
+UBOOT_MKIMAGE_KERNEL_TYPE ?= "kernel"
+
 uboot_prep_kimage() {
 	if [ -e arch/${ARCH}/boot/compressed/vmlinux ]; then
 		vmlinux_path="arch/${ARCH}/boot/compressed/vmlinux"
--- a/meta/classes/kernel-uimage.bbclass
+++ b/meta/classes/kernel-uimage.bbclass
@@ -30,6 +30,6 @@ do_uboot_mkimage() {
 			awk '$3=="${UBOOT_ENTRYSYMBOL}" {print "0x"$1;exit}'`
 	fi

-	uboot-mkimage -A ${UBOOT_ARCH} -O linux -T kernel -C "${linux_comp}" -a ${UBOOT_LOADADDRESS} -e $ENTRYPOINT -n "${DISTRO_NAME}/${PV}/${MACHINE}" -d linux.bin ${B}/arch/${ARCH}/boot/uImage
+	uboot-mkimage -A ${UBOOT_ARCH} -O linux -T ${UBOOT_MKIMAGE_KERNEL_TYPE} -C "${linux_comp}" -a ${UBOOT_LOADADDRESS} -e $ENTRYPOINT -n "${DISTRO_NAME}/${PV}/${MACHINE}" -d linux.bin ${B}/arch/${ARCH}/boot/uImage
 	rm -f linux.bin
 }
--- a/meta/classes/kernel-yocto.bbclass
+++ b/meta/classes/kernel-yocto.bbclass
@@ -322,7 +322,11 @@ do_patch() {
 	meta_dir=$(kgit --meta)
 	(cd ${meta_dir}; ln -sf patch.queue series)
 	if [ -f "${meta_dir}/series" ]; then
-		kgit-s2q --gen -v --patches .kernel-meta/
+		kgit_extra_args=""
+		if [ "${KERNEL_DEBUG_TIMESTAMPS}" != "1" ]; then
+		    kgit_extra_args="--commit-sha author"
+		fi
+		kgit-s2q --gen -v $kgit_extra_args --patches .kernel-meta/
 		if [ $? -ne 0 ]; then
 			bberror "Could not apply patches for ${KMACHINE}."
 			bbfatal_log "Patch failures can be resolved in the linux source directory ${S})"
--- a/meta/classes/kernel.bbclass
+++ b/meta/classes/kernel.bbclass
@@ -231,8 +231,9 @@ UBOOT_LOADADDRESS ?= "${UBOOT_ENTRYPOINT}"
 # Some Linux kernel configurations need additional parameters on the command line
 KERNEL_EXTRA_ARGS ?= ""

-EXTRA_OEMAKE = " HOSTCC="${BUILD_CC}" HOSTCFLAGS="${BUILD_CFLAGS}" HOSTLDFLAGS="${BUILD_LDFLAGS}" HOSTCPP="${BUILD_CPP}""
-EXTRA_OEMAKE += " HOSTCXX="${BUILD_CXX}" HOSTCXXFLAGS="${BUILD_CXXFLAGS}" PAHOLE=false"
+EXTRA_OEMAKE += ' CC="${KERNEL_CC}" LD="${KERNEL_LD}"'
+EXTRA_OEMAKE += ' HOSTCC="${BUILD_CC}" HOSTCFLAGS="${BUILD_CFLAGS}" HOSTLDFLAGS="${BUILD_LDFLAGS}" HOSTCPP="${BUILD_CPP}"'
+EXTRA_OEMAKE += ' HOSTCXX="${BUILD_CXX}" HOSTCXXFLAGS="${BUILD_CXXFLAGS}" PAHOLE=false'

 KERNEL_ALT_IMAGETYPE ??= ""

@@ -375,7 +376,7 @@ kernel_do_compile() {
 		use_alternate_initrd=CONFIG_INITRAMFS_SOURCE=${B}/usr/${INITRAMFS_IMAGE_NAME}.cpio
 	fi
 	for typeformake in ${KERNEL_IMAGETYPE_FOR_MAKE} ; do
-		oe_runmake ${typeformake} CC="${KERNEL_CC}" LD="${KERNEL_LD}" ${KERNEL_EXTRA_ARGS} $use_alternate_initrd
+		oe_runmake ${typeformake} ${KERNEL_EXTRA_ARGS} $use_alternate_initrd
 	done
 }

@@ -407,7 +408,7 @@ do_compile_kernelmodules() {
 		bbnote "KBUILD_BUILD_TIMESTAMP: $ts"
 	fi
 	if (grep -q -i -e '^CONFIG_MODULES=y$' ${B}/.config); then
-		oe_runmake -C ${B} ${PARALLEL_MAKE} modules CC="${KERNEL_CC}" LD="${KERNEL_LD}" ${KERNEL_EXTRA_ARGS}
+		oe_runmake -C ${B} ${PARALLEL_MAKE} modules ${KERNEL_EXTRA_ARGS}

 		# Module.symvers gets updated during the 
 		# building of the kernel modules. We need to
@@ -591,7 +592,7 @@ sysroot_stage_all () {
 	:
 }

-KERNEL_CONFIG_COMMAND ?= "oe_runmake_call -C ${S} CC="${KERNEL_CC}" LD="${KERNEL_LD}" O=${B} olddefconfig || oe_runmake -C ${S} O=${B} CC="${KERNEL_CC}" LD="${KERNEL_LD}" oldnoconfig"
+KERNEL_CONFIG_COMMAND ?= "oe_runmake_call -C ${S} O=${B} olddefconfig || oe_runmake -C ${S} O=${B} oldnoconfig"

 python check_oldest_kernel() {
    oldest_kernel = d.getVar('OLDEST_KERNEL')
@@ -629,14 +630,15 @@ kernel_do_configure() {

 do_savedefconfig() {
 	bbplain "Saving defconfig to:\n${B}/defconfig"
-	oe_runmake -C ${B} LD='${KERNEL_LD}' savedefconfig
+	oe_runmake -C ${B} savedefconfig
 }
 do_savedefconfig[nostamp] = "1"
 addtask savedefconfig after do_configure

 inherit cml1

-KCONFIG_CONFIG_COMMAND:append = " PAHOLE=false LD='${KERNEL_LD}' HOSTLDFLAGS='${BUILD_LDFLAGS}'"
+# Need LD, HOSTLDFLAGS and more for config operations
+KCONFIG_CONFIG_COMMAND:append = " ${EXTRA_OEMAKE}"

 EXPORT_FUNCTIONS do_compile do_transform_kernel do_transform_bundled_initramfs do_install do_configure

--- a/meta/classes/nativesdk.bbclass
+++ b/meta/classes/nativesdk.bbclass
@@ -55,6 +55,7 @@ TARGET_CXXFLAGS = "${BUILDSDK_CXXFLAGS}"
 TARGET_LDFLAGS = "${BUILDSDK_LDFLAGS}"
 TARGET_FPU = ""
 EXTRA_OECONF_GCC_FLOAT = ""
+TUNE_FEATURES = ""

 CPPFLAGS = "${BUILDSDK_CPPFLAGS}"
 CFLAGS = "${BUILDSDK_CFLAGS}"
--- a/meta/classes/npm.bbclass
+++ b/meta/classes/npm.bbclass
@@ -19,7 +19,7 @@

 inherit python3native

-DEPENDS:prepend = "nodejs-native "
+DEPENDS:prepend = "nodejs-native nodejs-oe-cache-native "
 RDEPENDS:${PN}:append:class-target = " nodejs"

 EXTRA_OENPM = ""
@@ -46,6 +46,7 @@ NPM_ARCH ?= "${@npm_target_arch_map(d.getVar("TARGET_ARCH"))}"
 NPM_PACKAGE = "${WORKDIR}/npm-package"
 NPM_CACHE = "${WORKDIR}/npm-cache"
 NPM_BUILD = "${WORKDIR}/npm-build"
+NPM_REGISTRY = "${WORKDIR}/npm-registry"

 def npm_global_configs(d):
    """Get the npm global configuration"""
@@ -57,13 +58,36 @@ def npm_global_configs(d):
    configs.append(("cache", d.getVar("NPM_CACHE")))
    return configs

+## 'npm pack' runs 'prepare' and 'prepack' scripts. Support for
+## 'ignore-scripts' which prevents this behavior has been removed
+## from nodejs 16.  Use simple 'tar' instead of.
 def npm_pack(env, srcdir, workdir):
-    """Run 'npm pack' on a specified directory"""
-    import shlex
-    cmd = "npm pack %s" % shlex.quote(srcdir)
-    args = [("ignore-scripts", "true")]
-    tarball = env.run(cmd, args=args, workdir=workdir).strip("\n")
-    return os.path.join(workdir, tarball)
+    """Emulate 'npm pack' on a specified directory"""
+    import subprocess
+    import os
+    import json
+
+    src = os.path.join(srcdir, 'package.json')
+    with open(src) as f:
+        j = json.load(f)
+
+    # base does not really matter and is for documentation purposes
+    # only.  But the 'version' part must exist because other parts of
+    # the bbclass rely on it.
+    base = j['name'].split('/')[-1]
+    tarball = os.path.join(workdir, "%s-%s.tgz" % (base, j['version']));
+
+    # TODO: real 'npm pack' does not include directories while 'tar'
+    # does.  But this does not seem to matter...
+    subprocess.run(['tar', 'czf', tarball,
+                    '--exclude', './node-modules',
+                    '--exclude-vcs',
+                    '--transform', 's,^\./,package/,',
+                    '--mtime', '1985-10-26T08:15:00.000Z',
+                    '.'],
+                   check = True, cwd = srcdir)
+
+    return (tarball, j)

 python npm_do_configure() {
    """
@@ -86,27 +110,24 @@ python npm_do_configure() {
    from bb.fetch2.npm import npm_unpack
    from bb.fetch2.npmsw import foreach_dependencies
    from bb.progress import OutOfProgressHandler
+    from oe.npm_registry import NpmRegistry

    bb.utils.remove(d.getVar("NPM_CACHE"), recurse=True)
    bb.utils.remove(d.getVar("NPM_PACKAGE"), recurse=True)

    env = NpmEnvironment(d, configs=npm_global_configs(d))
+    registry = NpmRegistry(d.getVar('NPM_REGISTRY'), d.getVar('NPM_CACHE'))

-    def _npm_cache_add(tarball):
-        """Run 'npm cache add' for a specified tarball"""
-        cmd = "npm cache add %s" % shlex.quote(tarball)
-        env.run(cmd)
+    def _npm_cache_add(tarball, pkg):
+        """Add tarball to local registry and register it in the
+           cache"""
+        registry.add_pkg(tarball, pkg)

    def _npm_integrity(tarball):
        """Return the npm integrity of a specified tarball"""
        sha512 = bb.utils.sha512_file(tarball)
        return "sha512-" + base64.b64encode(bytes.fromhex(sha512)).decode()

-    def _npm_version(tarball):
-        """Return the version of a specified tarball"""
-        regex = r"-(\d+\.\d+\.\d+(-.*)?(\+.*)?)\.tgz"
-        return re.search(regex, tarball).group(1)
-
    def _npmsw_dependency_dict(orig, deptree):
        """
        Return the sub dictionary in the 'orig' dictionary corresponding to the
@@ -163,11 +184,11 @@ python npm_do_configure() {
        with tempfile.TemporaryDirectory() as tmpdir:
            # Add the dependency to the npm cache
            destdir = os.path.join(d.getVar("S"), destsuffix)
-            tarball = npm_pack(env, destdir, tmpdir)
-            _npm_cache_add(tarball)
+            (tarball, pkg) = npm_pack(env, destdir, tmpdir)
+            _npm_cache_add(tarball, pkg)
            # Add its signature to the cached shrinkwrap
            dep = _npmsw_dependency_dict(cached_shrinkwrap, deptree)
-            dep["version"] = _npm_version(tarball)
+            dep["version"] = pkg['version']
            dep["integrity"] = _npm_integrity(tarball)
            if params.get("dev", False):
                dep["dev"] = True
@@ -184,7 +205,7 @@ python npm_do_configure() {

    # Configure the main package
    with tempfile.TemporaryDirectory() as tmpdir:
-        tarball = npm_pack(env, d.getVar("S"), tmpdir)
+        (tarball, _) = npm_pack(env, d.getVar("S"), tmpdir)
        npm_unpack(tarball, d.getVar("NPM_PACKAGE"), d)

    # Configure the cached manifest file and cached shrinkwrap file
@@ -257,7 +278,7 @@ python npm_do_compile() {
        args.append(("build-from-source", "true"))

        # Pack and install the main package
-        tarball = npm_pack(env, d.getVar("NPM_PACKAGE"), tmpdir)
+        (tarball, _) = npm_pack(env, d.getVar("NPM_PACKAGE"), tmpdir)
        cmd = "npm install %s %s" % (shlex.quote(tarball), d.getVar("EXTRA_OENPM"))
        env.run(cmd, args=args)
 }
--- a/meta/classes/overlayfs-etc.bbclass
+++ b/meta/classes/overlayfs-etc.bbclass
@@ -34,6 +34,7 @@ OVERLAYFS_ETC_DEVICE ??= ""
 OVERLAYFS_ETC_USE_ORIG_INIT_NAME ??= "1"
 OVERLAYFS_ETC_MOUNT_OPTIONS ??= "defaults"
 OVERLAYFS_ETC_INIT_TEMPLATE ??= "${COREBASE}/meta/files/overlayfs-etc-preinit.sh.in"
+OVERLAYFS_ETC_EXPOSE_LOWER ??= "0"

 python create_overlayfs_etc_preinit() {
    overlayEtcMountPoint = d.getVar("OVERLAYFS_ETC_MOUNT_POINT")
@@ -54,13 +55,15 @@ python create_overlayfs_etc_preinit() {
    preinitPath = oe.path.join(d.getVar("IMAGE_ROOTFS"), d.getVar("base_sbindir"), "preinit")
    initBaseName = oe.path.join(d.getVar("base_sbindir"), "init")
    origInitNameSuffix = ".orig"
+    exposeLower = oe.types.boolean(d.getVar('OVERLAYFS_ETC_EXPOSE_LOWER'))

    args = {
        'OVERLAYFS_ETC_MOUNT_POINT': overlayEtcMountPoint,
        'OVERLAYFS_ETC_MOUNT_OPTIONS': d.getVar('OVERLAYFS_ETC_MOUNT_OPTIONS'),
        'OVERLAYFS_ETC_FSTYPE': overlayEtcFsType,
        'OVERLAYFS_ETC_DEVICE': overlayEtcDevice,
-        'SBIN_INIT_NAME': initBaseName + origInitNameSuffix if useOrigInit else initBaseName
+        'SBIN_INIT_NAME': initBaseName + origInitNameSuffix if useOrigInit else initBaseName,
+        'OVERLAYFS_ETC_EXPOSE_LOWER': "true" if exposeLower else "false"
    }

    if useOrigInit:
--- a/meta/classes/own-mirrors.bbclass
+++ b/meta/classes/own-mirrors.bbclass
@@ -11,4 +11,5 @@ https?://.*/.*  ${SOURCE_MIRROR_URL} \
 ftp://.*/.*     ${SOURCE_MIRROR_URL} \
 npm://.*/?.*    ${SOURCE_MIRROR_URL} \
 s3://.*/.*      ${SOURCE_MIRROR_URL} \
+crate://.*/.*   ${SOURCE_MIRROR_URL} \
 "
--- a/meta/classes/package_rpm.bbclass
+++ b/meta/classes/package_rpm.bbclass
@@ -193,8 +193,6 @@ python write_specfile () {
            if path.endswith("DEBIAN") or path.endswith("CONTROL"):
                continue
            path = path.replace("%", "%%%%%%%%")
-            path = path.replace("[", "?")
-            path = path.replace("]", "?")

            # Treat all symlinks to directories as normal files.
            # os.walk() lists them as directories.
@@ -214,8 +212,6 @@ python write_specfile () {
                    if dir == "CONTROL" or dir == "DEBIAN":
                        continue
                    dir = dir.replace("%", "%%%%%%%%")
-                    dir = dir.replace("[", "?")
-                    dir = dir.replace("]", "?")
                    # All packages own the directories their files are in...
                    target.append('%dir "' + path + '/' + dir + '"')
            else:
@@ -230,8 +226,6 @@ python write_specfile () {
                if file == "CONTROL" or file == "DEBIAN":
                    continue
                file = file.replace("%", "%%%%%%%%")
-                file = file.replace("[", "?")
-                file = file.replace("]", "?")
                if conffiles.count(path + '/' + file):
                    target.append('%config "' + path + '/' + file + '"')
                else:
--- a/meta/classes/rootfs-postcommands.bbclass
+++ b/meta/classes/rootfs-postcommands.bbclass
@@ -14,7 +14,7 @@ ROOTFS_POSTPROCESS_COMMAND += '${@bb.utils.contains_any("IMAGE_FEATURES", [ 'deb
 # Create /etc/timestamp during image construction to give a reasonably sane default time setting
 ROOTFS_POSTPROCESS_COMMAND += "rootfs_update_timestamp; "

-# Tweak the mount options for rootfs in /etc/fstab if read-only-rootfs is enabled
+# Tweak files in /etc if read-only-rootfs is enabled
 ROOTFS_POSTPROCESS_COMMAND += '${@bb.utils.contains("IMAGE_FEATURES", "read-only-rootfs", "read_only_rootfs_hook; ", "",d)}'

 # We also need to do the same for the kernel boot parameters,
@@ -103,20 +103,24 @@ read_only_rootfs_hook () {
 	# If we're using openssh and the /etc/ssh directory has no pre-generated keys,
 	# we should configure openssh to use the configuration file /etc/ssh/sshd_config_readonly
 	# and the keys under /var/run/ssh.
-	if [ -d ${IMAGE_ROOTFS}/etc/ssh ]; then
-		if [ -e ${IMAGE_ROOTFS}/etc/ssh/ssh_host_rsa_key ]; then
-			echo "SYSCONFDIR=\${SYSCONFDIR:-/etc/ssh}" >> ${IMAGE_ROOTFS}/etc/default/ssh
-			echo "SSHD_OPTS=" >> ${IMAGE_ROOTFS}/etc/default/ssh
-		else
-			echo "SYSCONFDIR=\${SYSCONFDIR:-/var/run/ssh}" >> ${IMAGE_ROOTFS}/etc/default/ssh
-			echo "SSHD_OPTS='-f /etc/ssh/sshd_config_readonly'" >> ${IMAGE_ROOTFS}/etc/default/ssh
+	# If overlayfs-etc is used this is not done as /etc is treated as writable
+	# If stateless-rootfs is enabled this is always done as we don't want to save keys then
+	if ${@ 'true' if not bb.utils.contains('IMAGE_FEATURES', 'overlayfs-etc', True, False, d) or bb.utils.contains('IMAGE_FEATURES', 'stateless-rootfs', True, False, d) else 'false'}; then
+		if [ -d ${IMAGE_ROOTFS}/etc/ssh ]; then
+			if [ -e ${IMAGE_ROOTFS}/etc/ssh/ssh_host_rsa_key ]; then
+				echo "SYSCONFDIR=\${SYSCONFDIR:-/etc/ssh}" >> ${IMAGE_ROOTFS}/etc/default/ssh
+				echo "SSHD_OPTS=" >> ${IMAGE_ROOTFS}/etc/default/ssh
+			else
+				echo "SYSCONFDIR=\${SYSCONFDIR:-/var/run/ssh}" >> ${IMAGE_ROOTFS}/etc/default/ssh
+				echo "SSHD_OPTS='-f /etc/ssh/sshd_config_readonly'" >> ${IMAGE_ROOTFS}/etc/default/ssh
+			fi
 		fi
-	fi

-	# Also tweak the key location for dropbear in the same way.
-	if [ -d ${IMAGE_ROOTFS}/etc/dropbear ]; then
-		if [ ! -e ${IMAGE_ROOTFS}/etc/dropbear/dropbear_rsa_host_key ]; then
-			echo "DROPBEAR_RSAKEY_DIR=/var/lib/dropbear" >> ${IMAGE_ROOTFS}/etc/default/dropbear
+		# Also tweak the key location for dropbear in the same way.
+		if [ -d ${IMAGE_ROOTFS}/etc/dropbear ]; then
+			if [ ! -e ${IMAGE_ROOTFS}/etc/dropbear/dropbear_rsa_host_key ]; then
+				echo "DROPBEAR_RSAKEY_DIR=/var/lib/dropbear" >> ${IMAGE_ROOTFS}/etc/default/dropbear
+			fi
 		fi
 	fi

--- a/meta/classes/sanity.bbclass
+++ b/meta/classes/sanity.bbclass
@@ -351,6 +351,7 @@ def check_connectivity(d):
            if len(msg) == 0:
                msg = "%s.\n" % err
                msg += "    Please ensure your host's network is configured correctly.\n"
+                msg += "    Please ensure CONNECTIVITY_CHECK_URIS is correct and specified URIs are available.\n"
                msg += "    If your ISP or network is blocking the above URL,\n"
                msg += "    try with another domain name, for example by setting:\n"
                msg += "    CONNECTIVITY_CHECK_URIS = \"https://www.example.com/\""
@@ -858,7 +859,7 @@ def check_sanity_everybuild(status, d):
    mirror_vars = ['MIRRORS', 'PREMIRRORS', 'SSTATE_MIRRORS']
    protocols = ['http', 'ftp', 'file', 'https', \
                 'git', 'gitsm', 'hg', 'osc', 'p4', 'svn', \
-                 'bzr', 'cvs', 'npm', 'sftp', 'ssh', 's3', 'az', 'ftps']
+                 'bzr', 'cvs', 'npm', 'sftp', 'ssh', 's3', 'az', 'ftps', 'crate']
    for mirror_var in mirror_vars:
        mirrors = (d.getVar(mirror_var) or '').replace('\\n', ' ').split()

--- a/meta/classes/uboot-sign.bbclass
+++ b/meta/classes/uboot-sign.bbclass
@@ -73,6 +73,9 @@ UBOOT_FIT_HASH_ALG ?= "sha256"
 FIT_SIGN_ALG ?= "rsa2048"
 UBOOT_FIT_SIGN_ALG ?= "rsa2048"

+# Kernel / U-Boot fitImage Padding Algo
+FIT_PAD_ALG ?= "pkcs-1.5"
+
 # Generate keys for signing Kernel / U-Boot fitImage
 FIT_GENERATE_KEYS ?= "0"
 UBOOT_FIT_GENERATE_KEYS ?= "0"
--- a/meta/conf/bitbake.conf
+++ b/meta/conf/bitbake.conf
@@ -924,7 +924,7 @@ SHELL[unexport] = "1"
 TRANSLATED_TARGET_ARCH ??= "${@d.getVar('TARGET_ARCH').replace("_", "-")}"

 # Set a default umask to use for tasks for determinism
-BB_DEFAULT_UMASK = "022"
+BB_DEFAULT_UMASK ??= "022"

 # Complete output from bitbake
 BB_CONSOLELOG ?= "${LOG_DIR}/cooker/${MACHINE}/${DATETIME}.log"
--- a/meta/conf/distro/include/maintainers.inc
+++ b/meta/conf/distro/include/maintainers.inc
@@ -544,10 +544,10 @@ RECIPE_MAINTAINER:pn-ofono = "Ross Burton <ross.burton@arm.com>"
 RECIPE_MAINTAINER:pn-opensbi = "Alistair Francis <alistair.francis@wdc.com>"
 RECIPE_MAINTAINER:pn-openssh = "Unassigned <unassigned@yoctoproject.org>"
 RECIPE_MAINTAINER:pn-openssl = "Alexander Kanavin <alex.kanavin@gmail.com>"
-RECIPE_MAINTAINER:pn-opkg = "Alejandro del Castillo <alejandro.delcastillo@ni.com>"
-RECIPE_MAINTAINER:pn-opkg-arch-config = "Alejandro del Castillo <alejandro.delcastillo@ni.com>"
-RECIPE_MAINTAINER:pn-opkg-keyrings = "Alejandro del Castillo <alejandro.delcastillo@ni.com>"
-RECIPE_MAINTAINER:pn-opkg-utils = "Alejandro del Castillo <alejandro.delcastillo@ni.com>"
+RECIPE_MAINTAINER:pn-opkg = "Alex Stewart <alex.stewart@ni.com>"
+RECIPE_MAINTAINER:pn-opkg-arch-config = "Alex Stewart <alex.stewart@ni.com>"
+RECIPE_MAINTAINER:pn-opkg-keyrings = "Alex Stewart <alex.stewart@ni.com>"
+RECIPE_MAINTAINER:pn-opkg-utils = "Alex Stewart <alex.stewart@ni.com>"
 RECIPE_MAINTAINER:pn-orc = "Anuj Mittal <anuj.mittal@intel.com>"
 RECIPE_MAINTAINER:pn-os-release = "Ross Burton <ross.burton@arm.com>"
 RECIPE_MAINTAINER:pn-ovmf = "Ricardo Neri <ricardo.neri-calderon@linux.intel.com>"
--- a/meta/conf/distro/include/yocto-uninative.inc
+++ b/meta/conf/distro/include/yocto-uninative.inc
@@ -6,10 +6,10 @@
 # to the distro running on the build machine.
 #

-UNINATIVE_MAXGLIBCVERSION = "2.35"
-UNINATIVE_VERSION = "3.6"
+UNINATIVE_MAXGLIBCVERSION = "2.36"
+UNINATIVE_VERSION = "3.7"

 UNINATIVE_URL ?= "http://downloads.yoctoproject.org/releases/uninative/${UNINATIVE_VERSION}/"
-UNINATIVE_CHECKSUM[aarch64] ?= "d64831cf2792c8e470c2e42230660e1a8e5de56a579cdd59978791f663c2f3ed"
-UNINATIVE_CHECKSUM[i686] ?= "2f0ee9b66b1bb2c85e2b592fb3c9c7f5d77399fa638d74961330cdb8de34ca3b"
-UNINATIVE_CHECKSUM[x86_64] ?= "9bfc4c970495b3716b2f9e52c4df9f968c02463a9a95000f6657fbc3fde1f098"
+UNINATIVE_CHECKSUM[aarch64] ?= "6a29bcae4b5b716d2d520e18800b33943b65f8a835eac1ff8793fc5ee65b4be6"
+UNINATIVE_CHECKSUM[i686] ?= "3f6d52e64996570c716108d49f8108baccf499a283bbefae438c7266b7a93305"
+UNINATIVE_CHECKSUM[x86_64] ?= "b110bf2e10fe420f5ca2f3ec55f048ee5f0a54c7e34856a3594e51eb2aea0570"
--- a/meta/conf/machine/include/arm/arch-armv9a.inc
+++ b/meta/conf/machine/include/arm/arch-armv9a.inc
@@ -0,0 +1,28 @@
+DEFAULTTUNE ?= "armv9a-crc"
+
+TUNEVALID[armv9a] = "Enable instructions for ARMv9-a"
+TUNE_CCARGS_MARCH .= "${@bb.utils.contains('TUNE_FEATURES', 'armv9a', ' -march=armv9-a', '', d)}"
+MACHINEOVERRIDES =. "${@bb.utils.contains('TUNE_FEATURES', 'armv9a', 'armv9a:', '', d)}"
+
+require conf/machine/include/arm/arch-arm64.inc
+require conf/machine/include/arm/feature-arm-crc.inc
+require conf/machine/include/arm/feature-arm-crypto.inc
+
+# Little Endian base configs
+AVAILTUNES += "armv9a armv9a-crc armv9a-crc-crypto armv9a-crypto"
+ARMPKGARCH:tune-armv9a                    ?= "armv9a"
+ARMPKGARCH:tune-armv9a-crc                ?= "armv9a"
+ARMPKGARCH:tune-armv9a-crypto             ?= "armv9a"
+ARMPKGARCH:tune-armv9a-crc-crypto         ?= "armv9a"
+TUNE_FEATURES:tune-armv9a                  = "aarch64 armv9a"
+TUNE_FEATURES:tune-armv9a-crc              = "${TUNE_FEATURES:tune-armv9a} crc"
+TUNE_FEATURES:tune-armv9a-crypto           = "${TUNE_FEATURES:tune-armv9a} crypto"
+TUNE_FEATURES:tune-armv9a-crc-crypto       = "${TUNE_FEATURES:tune-armv9a-crc} crypto"
+PACKAGE_EXTRA_ARCHS:tune-armv9a            = "aarch64 armv9a"
+PACKAGE_EXTRA_ARCHS:tune-armv9a-crc        = "${PACKAGE_EXTRA_ARCHS:tune-armv9a} armv9a-crc"
+PACKAGE_EXTRA_ARCHS:tune-armv9a-crypto     = "${PACKAGE_EXTRA_ARCHS:tune-armv9a} armv9a-crypto"
+PACKAGE_EXTRA_ARCHS:tune-armv9a-crc-crypto = "${PACKAGE_EXTRA_ARCHS:tune-armv9a-crc} armv9a-crypto armv9a-crc-crypto"
+BASE_LIB:tune-armv9a                       = "lib64"
+BASE_LIB:tune-armv9a-crc                   = "lib64"
+BASE_LIB:tune-armv9a-crypto                = "lib64"
+BASE_LIB:tune-armv9a-crc-crypto            = "lib64"
--- a/meta/conf/machine/include/arm/armv9a/tune-neoversen2.inc
+++ b/meta/conf/machine/include/arm/armv9a/tune-neoversen2.inc
@@ -6,17 +6,15 @@ DEFAULTTUNE ?= "neoversen2"
 TUNEVALID[neoversen2] = "Enable Neoverse-N2 specific processor optimizations"
 TUNE_CCARGS .= "${@bb.utils.contains('TUNE_FEATURES', 'neoversen2', ' -mcpu=neoverse-n2', '', d)}"

-# Even though the Neoverse N2 core implemnts the Arm v9.0-A architecture,
-# but the support of it in GCC is based on the Arm v8.5-A architecture.
-require conf/machine/include/arm/arch-armv8-5a.inc
+require conf/machine/include/arm/arch-armv9a.inc

 # Little Endian base configs
 AVAILTUNES                                         += "neoversen2 neoversen2-crypto"
 ARMPKGARCH:tune-neoversen2                          = "neoversen2"
 ARMPKGARCH:tune-neoversen2-crypto                   = "neoversen2-crypto"
-TUNE_FEATURES:tune-neoversen2                       = "${TUNE_FEATURES:tune-armv8-5a} neoversen2"
+TUNE_FEATURES:tune-neoversen2                       = "${TUNE_FEATURES:tune-armv9a} neoversen2"
 TUNE_FEATURES:tune-neoversen2-crypto                = "${TUNE_FEATURES:tune-neoversen2} crypto"
-PACKAGE_EXTRA_ARCHS:tune-neoversen2                 = "${PACKAGE_EXTRA_ARCHS:tune-armv8-5a} neoversen2"
-PACKAGE_EXTRA_ARCHS:tune-neoversen2-crypto          = "${PACKAGE_EXTRA_ARCHS:tune-armv8-5a-crypto} neoversen2 neoversen2-crypto"
+PACKAGE_EXTRA_ARCHS:tune-neoversen2                 = "${PACKAGE_EXTRA_ARCHS:tune-armv9a} neoversen2"
+PACKAGE_EXTRA_ARCHS:tune-neoversen2-crypto          = "${PACKAGE_EXTRA_ARCHS:tune-armv9a-crypto} neoversen2 neoversen2-crypto"
 BASE_LIB:tune-neoversen2                            = "lib64"
 BASE_LIB:tune-neoversen2-crypto                     = "lib64"
--- a/meta/files/overlayfs-etc-preinit.sh.in
+++ b/meta/files/overlayfs-etc-preinit.sh.in
@@ -15,19 +15,32 @@ mount -t sysfs sysfs /sys

 [ -z "$CONSOLE" ] && CONSOLE="/dev/console"

+BASE_OVERLAY_ETC_DIR={OVERLAYFS_ETC_MOUNT_POINT}/overlay-etc
+UPPER_DIR=$BASE_OVERLAY_ETC_DIR/upper
+WORK_DIR=$BASE_OVERLAY_ETC_DIR/work
+LOWER_DIR=$BASE_OVERLAY_ETC_DIR/lower
+
 mkdir -p {OVERLAYFS_ETC_MOUNT_POINT}
 if mount -n -t {OVERLAYFS_ETC_FSTYPE} \
    -o {OVERLAYFS_ETC_MOUNT_OPTIONS} \
    {OVERLAYFS_ETC_DEVICE} {OVERLAYFS_ETC_MOUNT_POINT}
 then
-    mkdir -p {OVERLAYFS_ETC_MOUNT_POINT}/overlay-etc/upper
-    mkdir -p {OVERLAYFS_ETC_MOUNT_POINT}/overlay-etc/work
+    mkdir -p $UPPER_DIR
+    mkdir -p $WORK_DIR
+
+    if {OVERLAYFS_ETC_EXPOSE_LOWER}; then
+        mkdir -p $LOWER_DIR
+
+        # provide read-only access to original /etc content
+        mount -o bind,ro /etc $LOWER_DIR
+    fi
+
    mount -n -t overlay \
-        -o upperdir={OVERLAYFS_ETC_MOUNT_POINT}/overlay-etc/upper \
+        -o upperdir=$UPPER_DIR \
        -o lowerdir=/etc \
-        -o workdir={OVERLAYFS_ETC_MOUNT_POINT}/overlay-etc/work \
+        -o workdir=$WORK_DIR \
        -o index=off,xino=off,redirect_dir=off,metacopy=off \
-        {OVERLAYFS_ETC_MOUNT_POINT}/overlay-etc/upper /etc || \
+        $UPPER_DIR /etc || \
            echo "PREINIT: Mounting etc-overlay failed!"
 else
    echo "PREINIT: Mounting </data> failed!"
--- a/meta/lib/oe/cve_check.py
+++ b/meta/lib/oe/cve_check.py
@@ -143,7 +143,7 @@ def get_cpe_ids(cve_product, version):
        else:
            vendor = "*"

-        cpe_id = f'cpe:2.3:a:{vendor}:{product}:{version}:*:*:*:*:*:*:*'
+        cpe_id = 'cpe:2.3:a:{}:{}:{}:*:*:*:*:*:*:*'.format(vendor, product, version)
        cpe_ids.append(cpe_id)

    return cpe_ids
--- a/meta/lib/oe/npm_registry.py
+++ b/meta/lib/oe/npm_registry.py
@@ -0,0 +1,169 @@
+import bb
+import json
+import subprocess
+
+_ALWAYS_SAFE = frozenset('ABCDEFGHIJKLMNOPQRSTUVWXYZ'
+                         'abcdefghijklmnopqrstuvwxyz'
+                         '0123456789'
+                         '_.-~')
+
+MISSING_OK = object()
+
+REGISTRY = "https://registry.npmjs.org"
+
+# we can not use urllib.parse here because npm expects lowercase
+# hex-chars but urllib generates uppercase ones
+def uri_quote(s, safe = '/'):
+    res = ""
+    safe_set = set(safe)
+    for c in s:
+        if c in _ALWAYS_SAFE or c in safe_set:
+            res += c
+        else:
+            res += '%%%02x' % ord(c)
+    return res
+
+class PackageJson:
+    def __init__(self, spec):
+        self.__spec = spec
+
+    @property
+    def name(self):
+        return self.__spec['name']
+
+    @property
+    def version(self):
+        return self.__spec['version']
+
+    @property
+    def empty_manifest(self):
+        return {
+            'name': self.name,
+            'description': self.__spec.get('description', ''),
+            'versions': {},
+        }
+
+    def base_filename(self):
+        return uri_quote(self.name, safe = '@')
+
+    def as_manifest_entry(self, tarball_uri):
+        res = {}
+
+        ## NOTE: 'npm install' requires more than basic meta information;
+        ## e.g. it takes 'bin' from this manifest entry but not the actual
+        ## 'package.json'
+        for (idx,dflt) in [('name', None),
+                           ('description', ""),
+                           ('version', None),
+                           ('bin', MISSING_OK),
+                           ('man', MISSING_OK),
+                           ('scripts', MISSING_OK),
+                           ('directories', MISSING_OK),
+                           ('dependencies', MISSING_OK),
+                           ('devDependencies', MISSING_OK),
+                           ('optionalDependencies', MISSING_OK),
+                           ('license', "unknown")]:
+            if idx in self.__spec:
+                res[idx] = self.__spec[idx]
+            elif dflt == MISSING_OK:
+                pass
+            elif dflt != None:
+                res[idx] = dflt
+            else:
+                raise Exception("%s-%s: missing key %s" % (self.name,
+                                                           self.version,
+                                                           idx))
+
+        res['dist'] = {
+            'tarball': tarball_uri,
+        }
+
+        return res
+
+class ManifestImpl:
+    def __init__(self, base_fname, spec):
+        self.__base = base_fname
+        self.__spec = spec
+
+    def load(self):
+        try:
+            with open(self.filename, "r") as f:
+                res = json.load(f)
+        except IOError:
+            res = self.__spec.empty_manifest
+
+        return res
+
+    def save(self, meta):
+        with open(self.filename, "w") as f:
+            json.dump(meta, f, indent = 2)
+
+    @property
+    def filename(self):
+        return self.__base + ".meta"
+
+class Manifest:
+    def __init__(self, base_fname, spec):
+        self.__base = base_fname
+        self.__spec = spec
+        self.__lockf = None
+        self.__impl = None
+
+    def __enter__(self):
+        self.__lockf = bb.utils.lockfile(self.__base + ".lock")
+        self.__impl  = ManifestImpl(self.__base, self.__spec)
+        return self.__impl
+
+    def __exit__(self, exc_type, exc_val, exc_tb):
+        bb.utils.unlockfile(self.__lockf)
+
+class NpmCache:
+    def __init__(self, cache):
+        self.__cache = cache
+
+    @property
+    def path(self):
+        return self.__cache
+
+    def run(self, type, key, fname):
+        subprocess.run(['oe-npm-cache', self.__cache, type, key, fname],
+                       check = True)
+
+class NpmRegistry:
+    def __init__(self, path, cache):
+        self.__path = path
+        self.__cache = NpmCache(cache + '/_cacache')
+        bb.utils.mkdirhier(self.__path)
+        bb.utils.mkdirhier(self.__cache.path)
+
+    @staticmethod
+    ## This function is critical and must match nodejs expectations
+    def _meta_uri(spec):
+        return REGISTRY + '/' + uri_quote(spec.name, safe = '@')
+
+    @staticmethod
+    ## Exact return value does not matter; just make it look like a
+    ## usual registry url
+    def _tarball_uri(spec):
+        return '%s/%s/-/%s-%s.tgz' % (REGISTRY,
+                                      uri_quote(spec.name, safe = '@'),
+                                      uri_quote(spec.name, safe = '@/'),
+                                      spec.version)
+
+    def add_pkg(self, tarball, pkg_json):
+        pkg_json = PackageJson(pkg_json)
+        base = os.path.join(self.__path, pkg_json.base_filename())
+
+        with Manifest(base, pkg_json) as manifest:
+            meta = manifest.load()
+            tarball_uri = self._tarball_uri(pkg_json)
+
+            meta['versions'][pkg_json.version] = pkg_json.as_manifest_entry(tarball_uri)
+
+            manifest.save(meta)
+
+            ## Cache entries are a little bit dependent on the nodejs
+            ## version; version specific cache implementation must
+            ## mitigate differences
+            self.__cache.run('meta', self._meta_uri(pkg_json), manifest.filename);
+            self.__cache.run('tgz',  tarball_uri, tarball);
--- a/meta/lib/oe/rootfs.py
+++ b/meta/lib/oe/rootfs.py
@@ -384,6 +384,10 @@ def create_rootfs(d, manifest_dir=None, progress_reporter=None, logcatcher=None)


 def image_list_installed_packages(d, rootfs_dir=None):
+    # Theres no rootfs for baremetal images
+    if bb.data.inherits_class('baremetal-image', d):
+        return ""
+
    if not rootfs_dir:
        rootfs_dir = d.getVar('IMAGE_ROOTFS')

--- a/meta/lib/oe/spdx.py
+++ b/meta/lib/oe/spdx.py
@@ -218,7 +218,7 @@ class SPDXPackage(SPDXObject):
    SPDXID = _String()
    versionInfo = _String()
    downloadLocation = _String(default="NOASSERTION")
-    packageSupplier = _String(default="NOASSERTION")
+    supplier = _String(default="NOASSERTION")
    homepage = _String()
    licenseConcluded = _String(default="NOASSERTION")
    licenseDeclared = _String(default="NOASSERTION")
--- a/meta/lib/oeqa/runtime/cases/dnf.py
+++ b/meta/lib/oeqa/runtime/cases/dnf.py
@@ -144,7 +144,7 @@ class DnfRepoTest(DnfTest):
        self.assertEqual(0, status, output)

    @OETestDepends(['dnf.DnfRepoTest.test_dnf_makecache'])
-    @skipIfNotInDataVar('DISTRO_FEATURES', 'usrmerge', 'Test run when enable usrmege')
+    @skipIfNotInDataVar('DISTRO_FEATURES', 'usrmerge', 'Test run when enable usrmerge')
    @OEHasPackage('busybox')
    def test_dnf_installroot_usrmerge(self):
        rootpath = '/home/root/chroot/test'
--- a/meta/lib/oeqa/runtime/cases/parselogs.py
+++ b/meta/lib/oeqa/runtime/cases/parselogs.py
@@ -64,6 +64,7 @@ common_errors = [
    "[pulseaudio] authkey.c: Failed to load authentication key",
    "was skipped because of a failed condition check",
    "was skipped because all trigger condition checks failed",
+    "xf86OpenConsole: Switching VT failed",
    ]

 video_related = [
@@ -140,6 +141,7 @@ ignore_errors = {
        'Failed to initialize \'/amba/timer@101e3000\': -22',
        'jitterentropy: Initialization failed with host not compliant with requirements: 2',
        'clcd-pl11x: probe of 10120000.display failed with error -2',
+        'arm-charlcd 10008000.lcd: error -ENXIO: IRQ index 0 not found'
        ] + common_errors,
    'qemuarm64' : [
        'Fatal server error:',
--- a/meta/lib/oeqa/selftest/cases/fitimage.py
+++ b/meta/lib/oeqa/selftest/cases/fitimage.py
@@ -738,6 +738,7 @@ UBOOT_LOADADDRESS = "0x80000000"
 UBOOT_DTB_LOADADDRESS = "0x82000000"
 UBOOT_ARCH = "arm"
 UBOOT_MKIMAGE_DTCOPTS = "-I dts -O dtb -p 2000"
+UBOOT_MKIMAGE_KERNEL_TYPE = "kernel"
 UBOOT_EXTLINUX = "0"
 FIT_GENERATE_KEYS = "1"
 KERNEL_IMAGETYPE_REPLACEMENT = "zImage"
@@ -763,6 +764,7 @@ FIT_HASH_ALG = "sha256"

        kernel_load = str(get_bb_var('UBOOT_LOADADDRESS'))
        kernel_entry = str(get_bb_var('UBOOT_ENTRYPOINT'))
+        kernel_type = str(get_bb_var('UBOOT_MKIMAGE_KERNEL_TYPE'))
        kernel_compression = str(get_bb_var('FIT_KERNEL_COMP_ALG'))
        uboot_arch = str(get_bb_var('UBOOT_ARCH'))
        fit_hash_alg = str(get_bb_var('FIT_HASH_ALG'))
@@ -775,7 +777,7 @@ FIT_HASH_ALG = "sha256"
            'kernel-1 {',
            'description = "Linux kernel";',
            'data = /incbin/("linux.bin");',
-            'type = "kernel";',
+            'type = "' + kernel_type + '";',
            'arch = "' + uboot_arch + '";',
            'os = "linux";',
            'compression = "' + kernel_compression + '";',
--- a/meta/lib/oeqa/selftest/cases/gotoolchain.py
+++ b/meta/lib/oeqa/selftest/cases/gotoolchain.py
@@ -43,12 +43,6 @@ class oeGoToolchainSelfTest(OESelftestTestCase):

    @classmethod
    def tearDownClass(cls):
-        # Go creates file which are readonly
-        for dirpath, dirnames, filenames in os.walk(cls.tmpdir_SDKQA):
-            for filename in filenames + dirnames:
-                f = os.path.join(dirpath, filename)
-                if not os.path.islink(f):
-                    os.chmod(f, 0o775)
        shutil.rmtree(cls.tmpdir_SDKQA, ignore_errors=True)
        super(oeGoToolchainSelfTest, cls).tearDownClass()

@@ -56,6 +50,8 @@ class oeGoToolchainSelfTest(OESelftestTestCase):
        cmd = "cd %s/src/%s/%s; " % (self.go_path, proj, name)
        cmd = cmd + ". %s; " % self.env_SDK
        cmd = cmd + "export GOPATH=%s; " % self.go_path
+        cmd = cmd + "export GOFLAGS=-modcacherw; "
+        cmd = cmd + "export CGO_ENABLED=1; "
        cmd = cmd + "${CROSS_COMPILE}go %s" % gocmd
        return runCmd(cmd).status

--- a/meta/lib/oeqa/selftest/cases/intercept.py
+++ b/meta/lib/oeqa/selftest/cases/intercept.py
--- a/meta/lib/oeqa/selftest/cases/oelib/buildhistory.py
+++ b/meta/lib/oeqa/selftest/cases/oelib/buildhistory.py
@@ -3,6 +3,7 @@
 #

 import os
+import sys
 from oeqa.selftest.case import OESelftestTestCase
 import tempfile
 import operator
@@ -11,15 +12,14 @@ from oeqa.utils.commands import get_bb_var
 class TestBlobParsing(OESelftestTestCase):

    def setUp(self):
-        import time
        self.repo_path = tempfile.mkdtemp(prefix='selftest-buildhistory',
            dir=get_bb_var('TOPDIR'))

        try:
            from git import Repo
            self.repo = Repo.init(self.repo_path)
-        except ImportError:
-            self.skipTest('Python module GitPython is not present')
+        except ImportError as e:
+            self.skipTest('Python module GitPython is not present (%s)  (%s)' % (e, sys.path))

        self.test_file = "test"
        self.var_map = {}
--- a/meta/lib/oeqa/selftest/cases/wic.py
+++ b/meta/lib/oeqa/selftest/cases/wic.py
@@ -1420,7 +1420,7 @@ class ModifyTests(WicTestCase):

        # list directory content of the first partition
        result = runCmd("wic ls %s:1 -n %s" % (images[0], sysroot))
-        self.assertIn('\n%s        ' % kerneltype.upper(), result.output)
+        self.assertIn('\n%s ' % kerneltype.upper(), result.output)
        self.assertIn('\nEFI          <DIR>     ', result.output)

        # remove file. EFI partitions are case-insensitive so exercise that too
--- a/meta/lib/oeqa/utils/qemurunner.py
+++ b/meta/lib/oeqa/utils/qemurunner.py
@@ -471,9 +471,9 @@ class QemuRunner:
                            self.server_socket = qemusock
                            stopread = True
                            reachedlogin = True
-                            self.logger.debug("Reached login banner in %s seconds (%s)" %
+                            self.logger.debug("Reached login banner in %s seconds (%s, %s)" %
                                              (time.time() - (endtime - self.boottime),
-                                              time.strftime("%D %H:%M:%S")))
+                                              time.strftime("%D %H:%M:%S"), time.time()))
                    else:
                        # no need to check if reachedlogin unless we support multiple connections
                        self.logger.debug("QEMU socket disconnected before login banner reached. (%s)" %
@@ -618,6 +618,8 @@ class QemuRunner:
                return self.qmp.cmd(command)

    def run_serial(self, command, raw=False, timeout=60):
+        # Returns (status, output) where status is 1 on success and 0 on error
+
        # We assume target system have echo to get command status
        if not raw:
            command = "%s; echo $?\n" % command
--- a/meta/lib/rootfspostcommands.py
+++ b/meta/lib/rootfspostcommands.py
@@ -58,3 +58,10 @@ def sort_passwd(sysconfdir):
            remove_backup(filename)
            if os.path.exists(filename):
                 sort_file(filename, mapping)
+    # Drop other known backup shadow-utils.
+    for filename in (
+            'subgid',
+            'subuid',
+        ):
+        filepath = os.path.join(sysconfdir, filename)
+        remove_backup(filepath)
--- a/meta/recipes-bsp/grub/files/CVE-2021-3695-video-readers-png-Drop-greyscale-support-to-fix-heap.patch
+++ b/meta/recipes-bsp/grub/files/CVE-2021-3695-video-readers-png-Drop-greyscale-support-to-fix-heap.patch
@@ -0,0 +1,179 @@
+From e623866d9286410156e8b9d2c82d6253a1b22d08 Mon Sep 17 00:00:00 2001
+From: Daniel Axtens <dja@axtens.net>
+Date: Tue, 6 Jul 2021 18:51:35 +1000
+Subject: [PATCH] video/readers/png: Drop greyscale support to fix heap
+ out-of-bounds write
+
+A 16-bit greyscale PNG without alpha is processed in the following loop:
+
+      for (i = 0; i < (data->image_width * data->image_height);
+	   i++, d1 += 4, d2 += 2)
+	{
+	  d1[R3] = d2[1];
+	  d1[G3] = d2[1];
+	  d1[B3] = d2[1];
+	}
+
+The increment of d1 is wrong. d1 is incremented by 4 bytes per iteration,
+but there are only 3 bytes allocated for storage. This means that image
+data will overwrite somewhat-attacker-controlled parts of memory - 3 bytes
+out of every 4 following the end of the image.
+
+This has existed since greyscale support was added in 2013 in commit
+3ccf16dff98f (grub-core/video/readers/png.c: Support grayscale).
+
+Saving starfield.png as a 16-bit greyscale image without alpha in the gimp
+and attempting to load it causes grub-emu to crash - I don't think this code
+has ever worked.
+
+Delete all PNG greyscale support.
+
+Fixes: CVE-2021-3695
+
+Signed-off-by: Daniel Axtens <dja@axtens.net>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+Upstream-Status: Backport
+CVE: CVE-2021-3695
+
+Reference to upstream patch:
+https://git.savannah.gnu.org/cgit/grub.git/commit/?id=e623866d9286410156e8b9d2c82d6253a1b22d08
+
+Signed-off-by: Yongxin Liu <yongxin.liu@windriver.com>
+---
+ grub-core/video/readers/png.c | 87 +++--------------------------------
+ 1 file changed, 7 insertions(+), 80 deletions(-)
+
+diff --git a/grub-core/video/readers/png.c b/grub-core/video/readers/png.c
+index 35ae553c8..a3161e25b 100644
+--- a/grub-core/video/readers/png.c
+++ b/grub-core/video/readers/png.c
+@@ -100,7 +100,7 @@ struct grub_png_data
+ 
+   unsigned image_width, image_height;
+   int bpp, is_16bit;
+-  int raw_bytes, is_gray, is_alpha, is_palette;
+  int raw_bytes, is_alpha, is_palette;
+   int row_bytes, color_bits;
+   grub_uint8_t *image_data;
+ 
+@@ -296,13 +296,13 @@ grub_png_decode_image_header (struct grub_png_data *data)
+     data->bpp = 3;
+   else
+     {
+-      data->is_gray = 1;
+-      data->bpp = 1;
+      return grub_error (GRUB_ERR_BAD_FILE_TYPE,
+			 "png: color type not supported");
+     }
+ 
+   if ((color_bits != 8) && (color_bits != 16)
+       && (color_bits != 4
+-	  || !(data->is_gray || data->is_palette)))
+	  || !data->is_palette))
+     return grub_error (GRUB_ERR_BAD_FILE_TYPE,
+                        "png: bit depth must be 8 or 16");
+ 
+@@ -331,7 +331,7 @@ grub_png_decode_image_header (struct grub_png_data *data)
+     }
+ 
+ #ifndef GRUB_CPU_WORDS_BIGENDIAN
+-  if (data->is_16bit || data->is_gray || data->is_palette)
+  if (data->is_16bit || data->is_palette)
+ #endif
+     {
+       data->image_data = grub_calloc (data->image_height, data->row_bytes);
+@@ -899,27 +899,8 @@ grub_png_convert_image (struct grub_png_data *data)
+       int shift;
+       int mask = (1 << data->color_bits) - 1;
+       unsigned j;
+-      if (data->is_gray)
+-	{
+-	  /* Generic formula is
+-	     (0xff * i) / ((1U << data->color_bits) - 1)
+-	     but for allowed bit depth of 1, 2 and for it's
+-	     equivalent to
+-	     (0xff / ((1U << data->color_bits) - 1)) * i
+-	     Precompute the multipliers to avoid division.
+-	  */
+-
+-	  const grub_uint8_t multipliers[5] = { 0xff, 0xff, 0x55, 0x24, 0x11 };
+-	  for (i = 0; i < (1U << data->color_bits); i++)
+-	    {
+-	      grub_uint8_t col = multipliers[data->color_bits] * i;
+-	      palette[i][0] = col;
+-	      palette[i][1] = col;
+-	      palette[i][2] = col;
+-	    }
+-	}
+-      else
+-	grub_memcpy (palette, data->palette, 3 << data->color_bits);
+
+      grub_memcpy (palette, data->palette, 3 << data->color_bits);
+       d1c = d1;
+       d2c = d2;
+       for (j = 0; j < data->image_height; j++, d1c += data->image_width * 3,
+@@ -957,60 +938,6 @@ grub_png_convert_image (struct grub_png_data *data)
+       return;
+     }
+ 
+-  if (data->is_gray)
+-    {
+-      switch (data->bpp)
+-	{
+-	case 4:
+-	  /* 16-bit gray with alpha.  */
+-	  for (i = 0; i < (data->image_width * data->image_height);
+-	       i++, d1 += 4, d2 += 4)
+-	    {
+-	      d1[R4] = d2[3];
+-	      d1[G4] = d2[3];
+-	      d1[B4] = d2[3];
+-	      d1[A4] = d2[1];
+-	    }
+-	  break;
+-	case 2:
+-	  if (data->is_16bit)
+-	    /* 16-bit gray without alpha.  */
+-	    {
+-	      for (i = 0; i < (data->image_width * data->image_height);
+-		   i++, d1 += 4, d2 += 2)
+-		{
+-		  d1[R3] = d2[1];
+-		  d1[G3] = d2[1];
+-		  d1[B3] = d2[1];
+-		}
+-	    }
+-	  else
+-	    /* 8-bit gray with alpha.  */
+-	    {
+-	      for (i = 0; i < (data->image_width * data->image_height);
+-		   i++, d1 += 4, d2 += 2)
+-		{
+-		  d1[R4] = d2[1];
+-		  d1[G4] = d2[1];
+-		  d1[B4] = d2[1];
+-		  d1[A4] = d2[0];
+-		}
+-	    }
+-	  break;
+-	  /* 8-bit gray without alpha.  */
+-	case 1:
+-	  for (i = 0; i < (data->image_width * data->image_height);
+-	       i++, d1 += 3, d2++)
+-	    {
+-	      d1[R3] = d2[0];
+-	      d1[G3] = d2[0];
+-	      d1[B3] = d2[0];
+-	    }
+-	  break;
+-	}
+-      return;
+-    }
+-
+     {
+   /* Only copy the upper 8 bit.  */
+ #ifndef GRUB_CPU_WORDS_BIGENDIAN
+-- 
+2.34.1
+
--- a/Show More
+++ b/Show More