build-appliance-image: Update to kirkstone head revision

(From OE-Core rev: cb8647c08959abb1d6b7c2b3a34b4b415f66d7ee)

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

bitbake/lib/bb/cache.py

@@ -619,7 +619,7 @@ class Cache(NoCache):
                 for f in flist:
                     if not f:
                         continue
-                    f, exist = f.split(":")
+                    f, exist = f.rsplit(":", 1)
                     if (exist == "True" and not os.path.exists(f)) or (exist == "False" and os.path.exists(f)):
                         self.logger.debug2("%s's file checksum list file %s changed",
                                              fn, f)

bitbake/lib/bb/cooker.py

@@ -744,19 +744,18 @@ class BBCooker:
                     taskdata[mc].add_unresolved(localdata[mc], self.recipecaches[mc])
                     mcdeps |= set(taskdata[mc].get_mcdepends())
                 new = False
-                for mc in self.multiconfigs:
-                    for k in mcdeps:
-                        if k in seen:
-                            continue
-                        l = k.split(':')
-                        depmc = l[2]
-                        if depmc not in self.multiconfigs:
-                            bb.fatal("Multiconfig dependency %s depends on nonexistent multiconfig configuration named configuration %s" % (k,depmc))
-                        else:
-                            logger.debug("Adding providers for multiconfig dependency %s" % l[3])
-                            taskdata[depmc].add_provider(localdata[depmc], self.recipecaches[depmc], l[3])
-                            seen.add(k)
-                            new = True
+                for k in mcdeps:
+                    if k in seen:
+                        continue
+                    l = k.split(':')
+                    depmc = l[2]
+                    if depmc not in self.multiconfigs:
+                        bb.fatal("Multiconfig dependency %s depends on nonexistent multiconfig configuration named configuration %s" % (k,depmc))
+                    else:
+                        logger.debug("Adding providers for multiconfig dependency %s" % l[3])
+                        taskdata[depmc].add_provider(localdata[depmc], self.recipecaches[depmc], l[3])
+                        seen.add(k)
+                        new = True
 
         for mc in self.multiconfigs:
             taskdata[mc].add_unresolved(localdata[mc], self.recipecaches[mc])

bitbake/lib/bb/fetch2/crate.py

@@ -13,7 +13,6 @@ BitBake 'Fetch' implementation for crates.io
 import hashlib
 import json
 import os
-import shutil
 import subprocess
 import bb
 from   bb.fetch2 import logger, subprocess_setup, UnpackError

bitbake/lib/bb/fetch2/git.py

@@ -240,7 +240,7 @@ class Git(FetchMethod):
             for name in ud.names:
                 ud.unresolvedrev[name] = 'HEAD'
 
-        ud.basecmd = d.getVar("FETCHCMD_git") or "git -c core.fsyncobjectfiles=0 -c gc.autoDetach=false"
+        ud.basecmd = d.getVar("FETCHCMD_git") or "git -c core.fsyncobjectfiles=0 -c gc.autoDetach=false -c core.pager=cat"
 
         write_tarballs = d.getVar("BB_GENERATE_MIRROR_TARBALLS") or "0"
         ud.write_tarballs = write_tarballs != "0" or ud.rebaseable

bitbake/lib/bb/fetch2/osc.py

@@ -43,7 +43,7 @@ class Osc(FetchMethod):
             ud.revision = ud.parm['rev']
         else:
             pv = d.getVar("PV", False)
-            rev = bb.fetch2.srcrev_internal_helper(ud, d)
+            rev = bb.fetch2.srcrev_internal_helper(ud, d, '')
             if rev:
                 ud.revision = rev
             else:

bitbake/lib/bb/fetch2/ssh.py

@@ -32,6 +32,7 @@ IETF secsh internet draft:
 
 import re, os
 from bb.fetch2 import check_network_access, FetchMethod, ParameterError, runfetchcmd
+import urllib
 
 
 __pattern__ = re.compile(r'''
@@ -70,6 +71,7 @@ class SSH(FetchMethod):
                 "git:// prefix with protocol=ssh", urldata.url)
         m = __pattern__.match(urldata.url)
         path = m.group('path')
+        path = urllib.parse.unquote(path)
         host = m.group('host')
         urldata.localpath = os.path.join(d.getVar('DL_DIR'),
                 os.path.basename(os.path.normpath(path)))
@@ -99,7 +101,7 @@ class SSH(FetchMethod):
 
         if path[0] != '~':
             path = '/%s' % path
-        path = path.replace("%3A", ":")
+        path = urllib.parse.unquote(path)
 
         fr += ':%s' % path
 
@@ -139,7 +141,7 @@ class SSH(FetchMethod):
 
         if path[0] != '~':
             path = '/%s' % path
-        path = path.replace("%3A", ":")
+        path = urllib.parse.unquote(path)
 
         cmd = 'ssh -o BatchMode=true %s %s [ -f %s ]' % (
             portarg,

bitbake/lib/bb/msg.py

@@ -133,7 +133,6 @@ class LogFilterShowOnce(logging.Filter):
         self.seen_errors = set()
 
     def filter(self, record):
-        msg = record.msg
         if record.levelno == bb.msg.BBLogFormatter.WARNONCE:
             if record.msg in self.seen_warnings:
                 return False

bitbake/lib/bb/persist_data.py

@@ -208,7 +208,7 @@ class SQLTable(collections.abc.MutableMapping):
 
     def __lt__(self, other):
         if not isinstance(other, Mapping):
-            raise NotImplemented
+            raise NotImplementedError()
 
         return len(self) < len(other)
 

bitbake/lib/bb/providers.py

@@ -396,8 +396,8 @@ def getRuntimeProviders(dataCache, rdepend):
         return rproviders
 
     # Only search dynamic packages if we can't find anything in other variables
-    for pattern in dataCache.packages_dynamic:
-        pattern = pattern.replace(r'+', r"\+")
+    for pat_key in dataCache.packages_dynamic:
+        pattern = pat_key.replace(r'+', r"\+")
         if pattern in regexp_cache:
             regexp = regexp_cache[pattern]
         else:
@@ -408,7 +408,7 @@ def getRuntimeProviders(dataCache, rdepend):
                 raise
             regexp_cache[pattern] = regexp
         if regexp.match(rdepend):
-            rproviders += dataCache.packages_dynamic[pattern]
+            rproviders += dataCache.packages_dynamic[pat_key]
             logger.debug("Assuming %s is a dynamic package, but it may not exist" % rdepend)
 
     return rproviders

bitbake/lib/bb/runqueue.py

@@ -1674,7 +1674,7 @@ class RunQueue:
             (mc, fn, taskname, taskfn) = split_tid_mcfn(tid)
             pn = self.rqdata.dataCaches[mc].pkg_fn[taskfn]
             h = self.rqdata.runtaskentries[tid].hash
-            matches = bb.siggen.find_siginfo(pn, taskname, [], self.cfgData)
+            matches = bb.siggen.find_siginfo(pn, taskname, [], self.cooker.databuilder.mcdata[mc])
             match = None
             for m in matches:
                 if h in m:
@@ -2664,7 +2664,6 @@ def build_scenequeue_data(sqdata, rqdata, rq, cooker, stampcache, sqrq):
             sq_revdeps_squash[point] = set()
             if point in rqdata.runq_setscene_tids:
                 sq_revdeps_squash[point] = tasks
-                tasks = set()
                 continue
             for dep in rqdata.runtaskentries[point].depends:
                 if point in sq_revdeps[dep]:

bitbake/lib/bb/server/process.py

@@ -20,7 +20,6 @@ import os
 import sys
 import time
 import select
-import signal
 import socket
 import subprocess
 import errno

bitbake/lib/bb/siggen.py

@@ -40,7 +40,6 @@ def init(d):
     for sg in siggens:
         if desired == sg.name:
             return sg(d)
-            break
     else:
         logger.error("Invalid signature generator '%s', using default 'noop'\n"
                      "Available generators: %s", desired,

bitbake/lib/bb/tests/parse.py

@@ -119,7 +119,7 @@ EXTRA_OECONF:class-target = "b"
 EXTRA_OECONF:append = " c"
 """
 
-    def test_parse_overrides(self):
+    def test_parse_overrides2(self):
         f = self.parsehelper(self.overridetest2)
         d = bb.parse.handle(f.name, self.d)['']
         d.appendVar("EXTRA_OECONF", " d")

bitbake/lib/bb/ui/buildinfohelper.py

@@ -45,7 +45,7 @@ from pprint import pformat
 import logging
 from datetime import datetime, timedelta
 
-from django.db import transaction, connection
+from django.db import transaction
 
 
 # pylint: disable=invalid-name
@@ -496,7 +496,7 @@ class ORMWrapper(object):
             if not parent_path:
                 parent_path = "/"
             parent_obj = self._cached_get(Target_File, target = target_obj, path = parent_path, inodetype = Target_File.ITYPE_DIRECTORY)
-            tf_obj = Target_File.objects.create(
+            Target_File.objects.create(
                         target = target_obj,
                         path = path,
                         size = size,
@@ -561,7 +561,7 @@ class ORMWrapper(object):
 
             parent_obj = Target_File.objects.get(target = target_obj, path = parent_path, inodetype = Target_File.ITYPE_DIRECTORY)
 
-            tf_obj = Target_File.objects.create(
+            Target_File.objects.create(
                         target = target_obj,
                         path = path,
                         size = size,
@@ -1062,27 +1062,6 @@ class BuildInfoHelper(object):
 
         return recipe_info
 
-    def _get_path_information(self, task_object):
-        self._ensure_build()
-
-        assert isinstance(task_object, Task)
-        build_stats_format = "{tmpdir}/buildstats/{buildname}/{package}/"
-        build_stats_path = []
-
-        for t in self.internal_state['targets']:
-            buildname = self.internal_state['build'].build_name
-            pe, pv = task_object.recipe.version.split(":",1)
-            if pe:
-                package = task_object.recipe.name + "-" + pe + "_" + pv
-            else:
-                package = task_object.recipe.name + "-" + pv
-
-            build_stats_path.append(build_stats_format.format(tmpdir=self.tmp_dir,
-                                                     buildname=buildname,
-                                                     package=package))
-
-        return build_stats_path
-
 
     ################################
     ## external available methods to store information

bitbake/lib/bb/ui/knotty.py

@@ -877,7 +877,6 @@ def main(server, eventHandler, params, tf = TerminalFilter):
                     state_force_shutdown()
 
             main.shutdown = main.shutdown + 1
-            pass
         except Exception as e:
             import traceback
             sys.stderr.write(traceback.format_exc())

documentation/conf.py

@@ -90,7 +90,7 @@ rst_prolog = """
 
 # external links and substitutions
 extlinks = {
-    'cve': ('https://nvd.nist.gov/vuln/detail/CVE-%s', 'CVE-%s'),
+    'cve': ('https://nvd.nist.gov/vuln/detail/CVE-%s', 'CVE-'),
     'yocto_home': ('https://www.yoctoproject.org%s', None),
     'yocto_wiki': ('https://wiki.yoctoproject.org/wiki%s', None),
     'yocto_dl': ('https://downloads.yoctoproject.org%s', None),

documentation/migration-guides/index.rst

@@ -12,8 +12,8 @@ to move to one release of the Yocto Project from the previous one.
 .. toctree::
 
    migration-general
-   migration-4.0
-   migration-3.4
+   release-4.0
+   release-3.4
    migration-3.3
    migration-3.2
    migration-3.1

documentation/migration-guides/migration-3.4.rst

@@ -1,6 +1,3 @@
-Release 3.4 (honister)
-======================
-
 Migration notes for 3.4 (honister)
 ----------------------------------
 
@@ -265,6 +262,12 @@ Miscellaneous
   built-in override support in the fetcher or overrides in general
   instead.
 
-.. include:: release-notes-3.4.rst
-.. include:: release-notes-3.4.1.rst
-.. include:: release-notes-3.4.2.rst
+- The ``-P`` (``--clear-password``) option can no longer be used with
+  ``useradd`` and ``usermod`` entries in :term:`EXTRA_USERS_PARAMS`.
+  It was being implemented using a custom patch to the ``shadow`` recipe
+  which clashed with a ``-P`` option that was added upstream in
+  ``shadow`` version 4.9, and in any case is fundamentally insecure.
+  Hardcoded passwords are still supported but they need to be hashed, see
+  examples in :term:`EXTRA_USERS_PARAMS`.
+
+

documentation/migration-guides/migration-4.0.rst

@@ -1,61 +1,74 @@
 Release 4.0 (kirkstone)
 =======================
 
+Migration notes for 4.0 (kirkstone)
+-----------------------------------
+
 This section provides migration information for moving to the Yocto
 Project 4.0 Release (codename "kirkstone") from the prior release.
 
-Recipe changes
---------------
+.. _migration-4.0-inclusive-language:
 
-- To use more `inclusive language <https://inclusivenaming.org/>`__
-  in the code and documentation, some variables have been renamed or even
-  deleted. BitBake will stop with an error when renamed or removed variables
-  still exist in your recipes or configuration.
+Inclusive language improvements
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
-  Please note that the change applies also to environmental variables, so
-  make sure you use a fresh environment for your build.
+To use more `inclusive language <https://inclusivenaming.org/>`__
+in the code and documentation, some variables have been renamed, and
+some have been deleted where they are no longer needed. In many cases the
+new names are also easier to understand. BitBake will stop with an error when
+renamed or removed variables still exist in your recipes or configuration.
 
-  The following variables have changed their names:
+Please note that the change applies also to environmental variables, so
+make sure you use a fresh environment for your build.
 
-  - ``BB_ENV_WHITELIST`` became :term:`BB_ENV_PASSTHROUGH`
-  - ``BB_ENV_EXTRAWHITE`` became :term:`BB_ENV_PASSTHROUGH_ADDITIONS`
-  - ``BB_HASHBASE_WHITELIST`` became :term:`BB_BASEHASH_IGNORE_VARS`
-  - ``BB_HASHCONFIG_WHITELIST`` became :term:`BB_HASHCONFIG_IGNORE_VARS`
-  - ``BB_HASHTASK_WHITELIST`` became ``BB_TASKHASH_IGNORE_TASKS``
-  - ``BB_SETSCENE_ENFORCE_WHITELIST`` became ``BB_SETSCENE_ENFORCE_IGNORE_TASKS``
-  - ``CVE_CHECK_PN_WHITELIST`` became :term:`CVE_CHECK_SKIP_RECIPE`
-  - ``CVE_CHECK_WHITELIST`` became :term:`CVE_CHECK_IGNORE`
-  - ``ICECC_USER_CLASS_BL`` became :term:`ICECC_CLASS_DISABLE`
-  - ``ICECC_SYSTEM_CLASS_BL`` became :term:`ICECC_CLASS_DISABLE`
-  - ``ICECC_USER_PACKAGE_WL`` became :term:`ICECC_RECIPE_ENABLE`
-  - ``ICECC_USER_PACKAGE_BL`` became :term:`ICECC_RECIPE_DISABLE`
-  - ``ICECC_SYSTEM_PACKAGE_BL`` became :term:`ICECC_RECIPE_DISABLE`
-  - ``LICENSE_FLAGS_WHITELIST`` became :term:`LICENSE_FLAGS_ACCEPTED`
-  - ``MULTI_PROVIDER_WHITELIST`` became :term:`BB_MULTI_PROVIDER_ALLOWED`
-  - ``PNBLACKLIST`` became :term:`SKIP_RECIPE`
-  - ``SDK_LOCAL_CONF_BLACKLIST`` became :term:`ESDK_LOCALCONF_REMOVE`
-  - ``SDK_LOCAL_CONF_WHITELIST`` became :term:`ESDK_LOCALCONF_ALLOW`
-  - ``SDK_INHERIT_BLACKLIST`` became :term:`ESDK_CLASS_INHERIT_DISABLE`
-  - ``SSTATE_DUPWHITELIST`` became ``SSTATE_ALLOW_OVERLAP_FILES``
-  - ``SYSROOT_DIRS_BLACKLIST`` became :term:`SYSROOT_DIRS_IGNORE`
-  - ``UNKNOWN_CONFIGURE_WHITELIST`` became :term:`UNKNOWN_CONFIGURE_OPT_IGNORE`
+The following variables have changed their names:
 
-  In addition, ``BB_STAMP_WHITELIST``, ``BB_STAMP_POLICY``, ``INHERIT_BLACKLIST``
-  and ``TUNEABI_WHITELIST`` have been removed.
+- ``BB_ENV_WHITELIST`` became :term:`BB_ENV_PASSTHROUGH`
+- ``BB_ENV_EXTRAWHITE`` became :term:`BB_ENV_PASSTHROUGH_ADDITIONS`
+- ``BB_HASHBASE_WHITELIST`` became :term:`BB_BASEHASH_IGNORE_VARS`
+- ``BB_HASHCONFIG_WHITELIST`` became :term:`BB_HASHCONFIG_IGNORE_VARS`
+- ``BB_HASHTASK_WHITELIST`` became ``BB_TASKHASH_IGNORE_TASKS``
+- ``BB_SETSCENE_ENFORCE_WHITELIST`` became ``BB_SETSCENE_ENFORCE_IGNORE_TASKS``
+- ``CVE_CHECK_PN_WHITELIST`` became :term:`CVE_CHECK_SKIP_RECIPE`
+- ``CVE_CHECK_WHITELIST`` became :term:`CVE_CHECK_IGNORE`
+- ``ICECC_USER_CLASS_BL`` became :term:`ICECC_CLASS_DISABLE`
+- ``ICECC_SYSTEM_CLASS_BL`` became :term:`ICECC_CLASS_DISABLE`
+- ``ICECC_USER_PACKAGE_WL`` became :term:`ICECC_RECIPE_ENABLE`
+- ``ICECC_USER_PACKAGE_BL`` became :term:`ICECC_RECIPE_DISABLE`
+- ``ICECC_SYSTEM_PACKAGE_BL`` became :term:`ICECC_RECIPE_DISABLE`
+- ``LICENSE_FLAGS_WHITELIST`` became :term:`LICENSE_FLAGS_ACCEPTED`
+- ``MULTI_PROVIDER_WHITELIST`` became :term:`BB_MULTI_PROVIDER_ALLOWED`
+- ``PNBLACKLIST`` became :term:`SKIP_RECIPE`
+- ``SDK_LOCAL_CONF_BLACKLIST`` became :term:`ESDK_LOCALCONF_REMOVE`
+- ``SDK_LOCAL_CONF_WHITELIST`` became :term:`ESDK_LOCALCONF_ALLOW`
+- ``SDK_INHERIT_BLACKLIST`` became :term:`ESDK_CLASS_INHERIT_DISABLE`
+- ``SSTATE_DUPWHITELIST`` became ``SSTATE_ALLOW_OVERLAP_FILES``
+- ``SYSROOT_DIRS_BLACKLIST`` became :term:`SYSROOT_DIRS_IGNORE`
+- ``UNKNOWN_CONFIGURE_WHITELIST`` became :term:`UNKNOWN_CONFIGURE_OPT_IGNORE`
+- ``WHITELIST_<license>`` became ``INCOMPATIBLE_LICENSE_EXCEPTIONS``
 
-  Many internal variable names have been also renamed accordingly.
+In addition, ``BB_STAMP_WHITELIST``, ``BB_STAMP_POLICY``, ``INHERIT_BLACKLIST``,
+``TUNEABI``, ``TUNEABI_WHITELIST``, and ``TUNEABI_OVERRIDE`` have been removed.
 
-  In addition, in the ``cve-check`` output, the CVE issue status ``Whitelisted``
-  has been renamed to ``Ignored``.
+Many internal variable names have been also renamed accordingly.
 
-  A :oe_git:`convert-variable-renames.py
-  </openembedded-core/tree/scripts/contrib/convert-variable-renames.py>`
-  script is provided to convert your recipes and configuration,
-  and also warns you about the use of problematic words. The script performs
-  changes and you need to review them before committing. An example warning
-  looks like::
+In addition, in the ``cve-check`` output, the CVE issue status ``Whitelisted``
+has been renamed to ``Ignored``.
 
-     poky/scripts/lib/devtool/upgrade.py needs further work at line 275 since it contains abort
+The :term:`BB_DISKMON_DIRS` variable value now uses the term ``HALT``
+instead of ``ABORT``.
+
+A :oe_git:`convert-variable-renames.py
+</openembedded-core/tree/scripts/contrib/convert-variable-renames.py>`
+script is provided to convert your recipes and configuration,
+and also warns you about the use of problematic words. The script performs
+changes and you need to review them before committing. An example warning
+looks like::
+
+    poky/scripts/lib/devtool/upgrade.py needs further work at line 275 since it contains abort
+    
+Fetching changes
+~~~~~~~~~~~~~~~~
 
 - Because of the uncertainty in future default branch names in git repositories,
   it is now required to add a branch name to all URLs described
@@ -70,7 +83,8 @@ Recipe changes
 - Because of `GitHub dropping support for the git:
   protocol <https://github.blog/2021-09-01-improving-git-protocol-security-github/>`__,
   recipes now need to use ``;protocol=https`` at the end of GitHub
-  URLs. The same script as above can be used to convert the recipes.
+  URLs. The same ``convert-srcuri`` script mentioned above can be used to convert
+  your recipes.
 
 - Network access from tasks is now disabled by default on kernels which support
   this feature (on most recent distros such as CentOS 8 and Debian 11 onwards).
@@ -84,87 +98,170 @@ Recipe changes
   usually undermines fetcher source mirroring, image and licence manifests, software
   auditing and supply chain security.
 
-- The :term:`TOPDIR` variable and the current working directory are no longer modified
-  when parsing recipes. Any code depending on that behaviour will no longer work.
+License changes
+~~~~~~~~~~~~~~~
 
-- The ``append``, ``prepend`` and ``remove`` operators can now only be combined with
-  ``=`` and ``:=`` operators. To the exception of the ``append`` plus ``+=`` and
-  ``prepend`` plus ``=+`` combinations, all combinations could be factored up to the
-  ``append``, ``prepend`` or ``remove`` in the combination. This brought a lot of
-  confusion on how the override style syntax operators work and should be used.
-  Therefore, those combinations can simply be replaced by a single ``append``,
-  ``prepend`` or ``remove`` operator without any additional change.
-  For the ``append`` plus ``+=`` (and ``prepend`` plus ``=+``) combinations,
-  the content should be prefixed (respectively suffixed) by a space to maintain
-  the same behavior.  You can learn more about override style syntax operators
-  (``append``, ``prepend`` and ``remove``) in the BitBake documentation:
-  :ref:`bitbake:bitbake-user-manual/bitbake-user-manual-metadata:appending and prepending (override style syntax)`
-  and :ref:`bitbake:bitbake-user-manual/bitbake-user-manual-metadata:removal (override style syntax)`.
+- The ambiguous "BSD" license has been removed from the ``common-licenses`` directory.
+  Each recipe that fetches or builds BSD-licensed code should specify the proper
+  version of the BSD license in its :term:`LICENSE` value.
 
-- :ref:`allarch <ref-classes-allarch>` packagegroups can no longer depend on packages
-  which use :term:`PKG` renaming such as :ref:`ref-classes-debian`.
-
-- :term:`LICENSE` definitions now have to use `SPDX identifiers <https://spdx.org/licenses/>`__.
-  A :oe_git:`convert-spdx-licenses.py </openembedded-core/tree/scripts/contrib/convert-spdx-licenses.py>`
+- :term:`LICENSE` variable values should now use `SPDX identifiers <https://spdx.org/licenses/>`__.
+  If they do not, by default a warning will be shown. A
+  :oe_git:`convert-spdx-licenses.py </openembedded-core/tree/scripts/contrib/convert-spdx-licenses.py>`
   script can be used to update your recipes.
+  
+- :term:`INCOMPATIBLE_LICENSE` should now use `SPDX identifiers <https://spdx.org/licenses/>`__.
+  Additionally, wildcarding is now limited to specifically supported values -
+  see the :term:`INCOMPATIBLE_LICENSE` documentation for further information.
 
-- :term:`SRC_URI`: a new :ref:`bitbake:bitbake-user-manual/bitbake-user-manual-fetching:crate fetcher (\`\`crate://\`\`)`
-  is available for Rust packages.
+- The ``AVAILABLE_LICENSES`` variable has been removed. This variable was a performance
+  liability and is highly dependent on which layers are added to the configuration,
+  which can cause signature issues for users. In addition the ``available_licenses()``
+  function has been removed from the :ref:`license <ref-classes-license>` class as
+  it is no longer needed.
+  
+Removed recipes
+~~~~~~~~~~~~~~~
 
-Class changes
--------------
+The following recipes have been removed in this release:
 
-- The ``distutils*.bbclasses`` have been moved to ``meta-python``. The classes and
-  `DISTUTILS*` variables have been removed from the documentation.
+- ``dbus-test``: merged into main dbus recipe
+- ``libid3tag``: moved to meta-oe - no longer needed by anything in OE-Core
+- ``libportal``: moved to meta-gnome - no longer needed by anything in OE-Core
+- ``linux-yocto``: removed version 5.14 recipes (5.15 and 5.10 still provided)
+- ``python3-nose``: has not changed since 2016 upstream, and no longer needed by anything in OE-Core
+- ``rustfmt``: not especially useful as a standalone recipe
 
-- ``blacklist.bbclass`` is removed and the functionality moved to the
-  :ref:`base <ref-classes-base>` class with a more descriptive
-  ``varflag`` named :term:`SKIP_RECIPE` which will use the `SkipRecipe()`
-  function. The usage will remain the same::
-
-     SKIP_RECIPE[my-recipe] = "Reason for skipping recipe"
-
-- The Python package build process based on `wheels <https://pythonwheels.com/>`__.
+Python changes
+~~~~~~~~~~~~~~
+     
+- ``distutils`` has been deprecated upstream in Python 3.10 and thus the ``distutils*``
+  classes have been moved to ``meta-python``. Recipes that inherit the ``distutils*``
+  classes should be updated to inherit ``setuptools*`` equivalents instead.
+  
+- The Python package build process is now based on `wheels <https://pythonwheels.com/>`__.
   Here are the new Python packaging classes that should be used:
-  :ref:`python-flit_core <ref-classes-python_flit_core>`,
-  :ref:`setuptools_python-build_meta <ref-classes-python_setuptools_build_meta>`
-  and :ref:`python_poetry_core <ref-classes-python_poetry_core>`.
+  :ref:`python_flit_core <ref-classes-python_flit_core>`,
+  :ref:`python_setuptools_build_meta <ref-classes-python_setuptools_build_meta>`
+  and :ref:`python_poetry_core <ref-classes-python_poetry_core>`.  
 
-- ``image-prelink.bbclass`` class is removed.
+- The :ref:`setuptools3 <ref-classes-setuptools3>` class ``do_install()`` task now
+  installs the ``wheel`` binary archive. In current versions of ``setuptools`` the
+  legacy ``setup.py install`` method is deprecated. If the ``setup.py`` cannot be used
+  with wheels, for example it creates files outside of the Python module or standard
+  entry points, then :ref:`setuptools3_legacy <ref-classes-setuptools3_legacy>` should
+  be used instead.
 
-- New :ref:`overlayfs <ref-classes-overlayfs>` and
-  :ref:`overlayfs-etc <ref-classes-overlayfs-etc>` classes are available
-  to make it easier to overlay read-only filesystems (for example)
-  with `OverlayFS <https://en.wikipedia.org/wiki/OverlayFS>`__.
+Prelink removed
+~~~~~~~~~~~~~~~
 
-Configuration changes
----------------------
+Prelink has been dropped by ``glibc`` upstream in 2.36. It already caused issues with
+binary corruption, has a number of open bugs and is of questionable benefit
+without disabling load address randomization and PIE executables.
+    
+We disabled prelinking by default in the honister (3.4) release, but left it able
+to be enabled if desired. However, without glibc support it cannot be maintained
+any further, so all of the prelinking functionality has been removed in this release.
+If you were enabling the ``image-prelink`` class in :term:`INHERIT`, :term:`IMAGE_CLASSES`,
+:term:`USER_CLASSES` etc in your configuration, then you will need to remove the
+reference(s).
 
-- The Yocto Project now allows to reuse Shared State from its autobuilder.
-  If the network connection between our server and your machine is faster
-  than you would build recipes, you can try to speed up your builds
-  by using such Share State and Hash Equivalence by setting::
+Reproducible as standard
+~~~~~~~~~~~~~~~~~~~~~~~~
 
-     BB_SIGNATURE_HANDLER = "OEEquivHash"
-     BB_HASHSERVE = "auto"
-     BB_HASHSERVE_UPSTREAM = "typhoon.yocto.io:8687"
-     SSTATE_MIRRORS ?= "file://.* https://sstate.yoctoproject.org/&YOCTO_DOC_VERSION;/PATH;downloadfilename=PATH"
+Reproducibility is now considered as standard functionality, thus the 
+``reproducible`` class has been removed and its previous contents merged into the
+:ref:`base <ref-classes-base>` class. If you have references in your configuration to
+``reproducible`` in :term:`INHERIT`, :term:`USER_CLASSES` etc. then they should be
+removed.
+
+Additionally, the ``BUILD_REPRODUCIBLE_BINARIES`` variable is no longer used.
+Specifically for the kernel, if you wish to enable build timestamping functionality
+that is normally disabled for reproducibility reasons, you can do so by setting
+a new :term:`KERNEL_DEBUG_TIMESTAMPS` variable to "1".
 
 Supported host distribution changes
------------------------------------
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
-- New support for `AlmaLinux <https://en.wikipedia.org/wiki/AlmaLinux>`__
+- Support for `AlmaLinux <https://en.wikipedia.org/wiki/AlmaLinux>`__
   hosts replacing `CentOS <https://en.wikipedia.org/wiki/CentOS>`__.
   The following distribution versions were dropped: CentOS 8, Ubuntu 16.04 and Fedora 30, 31 and 32.
 
-Changes for release notes
--------------------------
+- ``gcc`` version 7.5 is now required at minimum on the build host. For older
+  host distributions where this is not available, you can use the
+  ``buildtools-extended-tarball`` (easily installable using
+  ``scripts/install-buildtools``).
 
-- Share State cache: now using `ZStandard (zstd) <https://en.wikipedia.org/wiki/Zstd>`__
-  instead of Gzip compression, for better performance.
+:append/:prepend in combination with other operators
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
-- BitBake has an improved ``setscene`` task display.
+The ``append``, ``prepend`` and ``remove`` operators can now only be combined with
+``=`` and ``:=`` operators. To the exception of the ``append`` plus ``+=`` and
+``prepend`` plus ``=+`` combinations, all combinations could be factored up to the
+``append``, ``prepend`` or ``remove`` in the combination. This brought a lot of
+confusion on how the override style syntax operators work and should be used.
+Therefore, those combinations should be replaced by a single ``append``,
+``prepend`` or ``remove`` operator without any additional change.
+For the ``append`` plus ``+=`` (and ``prepend`` plus ``=+``) combinations,
+the content should be prefixed (respectively suffixed) by a space to maintain
+the same behavior.  You can learn more about override style syntax operators
+(``append``, ``prepend`` and ``remove``) in the BitBake documentation:
+:ref:`bitbake:bitbake-user-manual/bitbake-user-manual-metadata:appending and prepending (override style syntax)`
+and :ref:`bitbake:bitbake-user-manual/bitbake-user-manual-metadata:removal (override style syntax)`.
 
-- This release fixes the reproducibility issues with ``rust-llvm`` and ``golang``.
-  Recipes in OpenEmbedded-Core are now fully reproducible.
+Miscellaneous changes
+~~~~~~~~~~~~~~~~~~~~~
+  
+- ``blacklist.bbclass`` is removed and the functionality moved to the
+  :ref:`base <ref-classes-base>` class with a more descriptive
+  ``varflag`` variable named :term:`SKIP_RECIPE` which will use the `bb.parse.SkipRecipe()`
+  function. The usage remains the same, for example::
+
+     SKIP_RECIPE[my-recipe] = "Reason for skipping recipe"
+
+- :ref:`allarch <ref-classes-allarch>` packagegroups can no longer depend on packages
+  which use :term:`PKG` renaming such as :ref:`ref-classes-debian`. Such packagegroups
+  recipes should be changed to avoid inheriting :ref:`allarch <ref-classes-allarch>`.
+
+- The ``lnr`` script has been removed. ``lnr`` implemented the same behaviour as `ln --relative --symbolic`,
+  since at the time of creation `--relative` was only available in coreutils 8.16
+  onwards which was too new for the older supported distros. Current supported host
+  distros have a new enough version of coreutils, so it is no longer needed. If you have
+  any calls to ``lnr`` in your recipes or classes, they should be replaced with
+  `ln --relative --symbolic` or `ln -rs` if you prefer the short version.
+
+- The ``package_qa_handle_error()`` function formerly in the :ref:`insane <ref-classes-insane>`
+  class has been moved and renamed - if you have any references in your own custom
+  classes they should be changed to ``oe.qa.handle_error()``.
+
+- When building ``perl``, Berkeley db support is no longer enabled by default, since
+  Berkeley db is largely obsolete. If you wish to reenable it, you can append ``bdb``
+  to :term:`PACKAGECONFIG` in a ``perl`` bbappend or ``PACKAGECONFIG:pn-perl`` at
+  the configuration level.
+
+- For the ``xserver-xorg`` recipe, the ``xshmfence``, ``xmlto`` and ``systemd`` options
+  previously supported in :term:`PACKAGECONFIG` have been removed, as they are no
+  longer supported since the move from building it with autotools to meson in this release.
+
+- For the ``libsdl2`` recipe, various X11 features are now disabled by default (primarily
+  for reproducibility purposes in the native case) with options in :term:`EXTRA_OECMAKE`
+  within the recipe. These can be changed within a bbappend if desired. See the
+  ``libsdl2`` recipe for more details.
+
+- The ``cortexa72-crc`` and ``cortexa72-crc-crypto`` tunes have been removed since
+  the crc extension is now enabled by default for cortexa72. Replace any references to
+  these with ``cortexa72`` and ``cortexa72-crypto`` respectively.
+  
+- The Python development shell (previously known as ``devpyshell``) feature has been
+  renamed to ``pydevshell``. To start it you should now run::
+
+     bitbake <target> -c pydevshell
+
+- The ``packagegroups-core-full-cmdline-libs`` packagegroup is no longer produced, as
+  libraries should normally be brought in via dependencies. If you have any references
+  to this then remove them.
+  
+- The :term:`TOPDIR` variable and the current working directory are no longer modified
+  when parsing recipes. Any code depending on the previous behaviour will no longer
+  work - change any such code to explicitly use appropriate path variables instead.
 

documentation/migration-guides/release-3.4.rst

@@ -0,0 +1,10 @@
+Release 3.4 (honister)
+======================
+
+.. toctree::
+
+   migration-3.4
+   release-notes-3.4
+   release-notes-3.4.1
+   release-notes-3.4.2
+

documentation/migration-guides/release-4.0.rst

@@ -0,0 +1,7 @@
+Release 4.0 (kirkstone)
+=======================
+
+.. toctree::
+
+   migration-4.0
+   release-notes-4.0

documentation/migration-guides/release-notes-4.0.rst

@@ -0,0 +1,933 @@
+Release notes for 4.0 (kirkstone)
+---------------------------------
+
+This is a Long Term Support release, published in April 2022, and supported at least for two years (April 2024).
+
+New Features / Enhancements in 4.0
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+- Linux kernel 5.15, glibc 2.35 and ~300 other recipe upgrades
+
+- Reproducibility: this release fixes the reproducibility issues with ``rust-llvm`` and
+  ``golang``. Recipes in OpenEmbedded-Core are now fully reproducible. Functionality
+  previously in the optional "reproducible" class has been merged into the base class.
+
+- Network access is now disabled by default for tasks other than where it is expected to ensure build integrity (where host kernel supports it)
+
+- The Yocto Project now allows you to reuse the Shared State cache from
+  its autobuilder. If the network connection between our server and your
+  machine is faster than you would build recipes from source, you can
+  try to speed up your builds by using such Shared State and Hash
+  Equivalence by setting::
+
+     BB_SIGNATURE_HANDLER = "OEEquivHash"
+     BB_HASHSERVE = "auto"
+     BB_HASHSERVE_UPSTREAM = "typhoon.yocto.io:8687"
+     SSTATE_MIRRORS ?= "file://.* https://sstate.yoctoproject.org/&YOCTO_DOC_VERSION;/PATH;downloadfilename=PATH"
+
+- The Python package build process is now based on `wheels <https://pythonwheels.com/>`__
+  in line with the upstream direction.
+
+- New :ref:`overlayfs <ref-classes-overlayfs>` and
+  :ref:`overlayfs-etc <ref-classes-overlayfs-etc>` classes and
+  ``overlayroot`` support in the initramfs framework to make it easier to
+  overlay read-only filesystems (for example) with
+  `OverlayFS <https://en.wikipedia.org/wiki/OverlayFS>`__.
+
+- Inclusive language adjustments to some variable names - see the
+  :ref:`4.0 migration guide <migration-4.0-inclusive-language>` for details.
+  
+- New recipes:
+
+   - ``buildtools-docs-tarball``
+   - ``libptytty``
+   - ``libxcvt``
+   - ``lua``
+   - ``nghttp2``
+   - ``python3-alabaster``
+   - ``python3-asn1crypto``
+   - ``python3-babel``
+   - ``python3-bcrypt``
+   - ``python3-certifi``
+   - ``python3-cffi``
+   - ``python3-chardet``
+   - ``python3-cryptography``
+   - ``python3-cryptography-vectors``
+   - ``python3-dtschema``
+   - ``python3-flit-core``
+   - ``python3-idna``
+   - ``python3-imagesize``
+   - ``python3-installer``
+   - ``python3-iso8601``
+   - ``python3-jsonpointer``
+   - ``python3-jsonschema``
+   - ``python3-ndg-httpsclient``
+   - ``python3-ply``
+   - ``python3-poetry-core``
+   - ``python3-pretend``
+   - ``python3-psutil``
+   - ``python3-pyasn1``
+   - ``python3-pycparser``
+   - ``python3-pyopenssl``
+   - ``python3-pyrsistent``
+   - ``python3-pysocks``
+   - ``python3-pytest-runner``
+   - ``python3-pytest-subtests``
+   - ``python3-pytz``
+   - ``python3-requests``
+   - ``python3-rfc3339-validator``
+   - ``python3-rfc3986-validator``
+   - ``python3-rfc3987``
+   - ``python3-ruamel-yaml``
+   - ``python3-semantic-version``
+   - ``python3-setuptools-rust-native``
+   - ``python3-snowballstemmer``
+   - ``python3-sphinx``
+   - ``python3-sphinxcontrib-applehelp``
+   - ``python3-sphinxcontrib-devhelp``
+   - ``python3-sphinxcontrib-htmlhelp``
+   - ``python3-sphinxcontrib-jsmath``
+   - ``python3-sphinxcontrib-qthelp``
+   - ``python3-sphinxcontrib-serializinghtml``
+   - ``python3-sphinx-rtd-theme``
+   - ``python3-strict-rfc3339``
+   - ``python3-tomli``
+   - ``python3-typing-extensions``
+   - ``python3-urllib3``
+   - ``python3-vcversioner``
+   - ``python3-webcolors``
+   - ``python3-wheel``
+   - ``repo``
+   - ``seatd``
+
+- Extended recipes to ``native``: ``wayland``, ``wayland-protocols``
+
+- Shared state (sstate) improvements:
+
+   - Switched to `ZStandard (zstd) <https://en.wikipedia.org/wiki/Zstd>`__ instead
+     of Gzip, for better performance.
+   - Allow validation of sstate signatures against a list of keys
+   - Improved error messages and exception handling
+
+- BitBake enhancements:
+
+   - Fetcher enhancements:
+   
+      - New :ref:`bitbake:bitbake-user-manual/bitbake-user-manual-fetching:crate fetcher (\`\`crate://\`\`)` for Rust packages
+      - Added striplevel support to unpack
+      - git: Add a warning asking users to set a branch in git urls
+      - git: Allow git fetcher to support subdir param
+      - git: canonicalize ids in generated tarballs
+      - git: stop generated tarballs from leaking info
+      - npm: Put all downloaded files in the npm2 directory
+      - npmsw: Add support for duplicate dependencies without url
+      - npmsw: Add support for github prefix in npm shrinkwrap version
+      - ssh: now supports checkstatus, allows : in URLs (both required for use with sstate) and no longer requires username
+      - wget: add redirectauth parameter
+      - wget: add 30s timeout for checkstatus calls
+   
+   - Show warnings for append/prepend/remove operators combined with +=/.=
+   - Add bb.warnonce() and bb.erroronce() log methods
+   - Improved setscene task display
+   - Show elapsed time also for tasks with progress bars
+   - Improved cleanup on forced shutdown (either because of errors or Ctrl+C)
+   - contrib: Add Dockerfile for building PR service container
+   - Change file format of siginfo files to use zstd compressed json
+   - Display active tasks when printing keep-alive message to help debugging
+
+-  Architecture-specific enhancements:
+
+   - ARM:
+  
+      - tune-cortexa72: Enable the crc extension by default for cortexa72
+      - qemuarm64: Add tiny ktype to qemuarm64 bsp
+      - armv9a/tune: Add the support for the Neoverse N2 core
+      - arch-armv8-5a.inc: Add tune include for armv8.5a
+      - grub-efi: Add xen_boot support when 'xen' is in DISTRO_FEATURES for aarch64
+      - tune-cortexa73: Introduce cortexa73-crypto tune
+      - libacpi: Build libacpi also for 'aarch64' machines
+      - core-image-tiny-initramfs: Mark recipe as 32 bit ARM compatible
+
+   - PowerPC:
+
+      - weston-init: Use pixman rendering for qemuppc64
+      - rust: add support for big endian 64-bit PowerPC
+      - rust: Add snapshot checksums for powerpc64le
+
+   - RISC-V:
+
+      - libunwind: Enable for rv64
+      - systemtap: Enable for riscv64
+      - linux-yocto-dev: add qemuriscv32
+      - packagegroup-core-tools-profile: Enable systemtap for riscv64
+      - qemuriscv: Use virtio-tablet-pci for mouse
+  
+   - x86:
+
+      - kernel-yocto: conditionally enable stack protection checking on x86-64
+
+-  Kernel-related enhancements:
+
+   - Allow initramfs to be built from a separate multiconfig
+   - Make kernel-base recommend kernel-image, not depend (allowing images containing kernel modules without kernel image)
+   - linux-yocto: split vtpm for more granular inclusion
+   - linux-yocto: cfg/debug: add configs for kcsan
+   - linux-yocto: cfg: add kcov feature fragment
+   - linux-yocto: export pkgconfig variables to devshell
+   - linux-yocto-dev: use versioned branch as default
+   - New ``KERNEL_DEBUG_TIMESTAMPS`` variable (to replace removed ``BUILD_REPRODUCIBLE_BINARIES`` for the kernel)
+   - Introduce python3-dtschema-wrapper in preparation for mandatory schema checking on dtb files in 5.16
+   - Allow disabling kernel artifact symlink creation
+   - Allow changing default .bin kernel artifact extension
+
+- FIT image related enhancements:
+
+   - New ``FIT_SUPPORTED_INITRAMFS_FSTYPES`` variable to allow extending initramfs image types to look for
+   - New ``FIT_CONF_PREFIX`` variable to allow overriding FIT configuration prefix
+   - Use 'bbnote' for better logging
+
+- New :term:`PACKAGECONFIG` options in ``curl``, ``dtc``, ``epiphany``, ``git``, ``git``, ``gstreamer1.0-plugins-bad``, ``linux-yocto-dev``, ``kmod``, ``mesa``, ``piglit``, ``qemu``, ``rpm``, ``systemd``, ``webkitgtk``, ``weston-init``
+- ptest enhancements in ``findutils``, ``lttng-tools``, ``openssl``, ``gawk``, ``strace``, ``lttng-tools``, ``valgrind``, ``perl``, ``libxml-parser-perl``, ``openssh``, ``python3-cryptography``, ``popt``
+
+- Sysroot dependencies have been further optimised
+- Significant effort to upstream / rationalise patches across a variety of recipes
+- Allow the creation of block devices on top of UBI volumes
+- archiver: new ARCHIVER_MODE[compression] to set tarball compression, and switch default to xz
+- yocto-check-layer: add ability to perform tests from a global bbclass
+- yocto-check-layer: improved README checks
+- cve-check: add json output format
+- cve-check: add coverage statistics on recipes with/without CVEs
+- Added mirrors for kernel sources and uninative binaries on kernel.org 
+- glibc and binutils recipes now use shallow mirror tarballs for faster fetching
+- When patching fails, show more information on the fatal error
+
+-  wic Image Creator enhancements:
+
+  - Support rootdev identified by partition label
+  - rawcopy: Add support for packed images
+  - partition: Support valueless keys in sourceparams
+
+- QA check enhancements:
+
+   - Allow treating license issues as errors
+   - Added a check that Upstream-Status patch tag is present and correctly formed
+   - Added a check for directories that are expected to be empty
+   - Ensure addition of patch-fuzz retriggers do_qa_patch
+   - Added a sanity check for allarch packagegroups
+
+- create-spdx class improvements:
+
+   - Get SPDX-License-Identifier from source files
+   - Generate manifest also for SDKs
+   - New SPDX_ORG variable to allow changing the Organization field value
+   - Added packageSupplier field
+   - Added create_annotation function
+
+- devtool add / recipetool create enhancements:
+
+   - Extend curl detection when creating recipes
+   - Handle GitLab URLs like we do GitHub
+   - Recognize more standard license text variants
+   - Separate licenses with & operator
+   - Detect more known licenses in Python code
+   - Move license md5sums data into CSV files
+   - npm: Use README as license fallback
+   
+- SDK-related enhancements:
+
+   - Extended recipes to ``nativesdk``: ``cargo``, ``librsvg``, ``libstd-rs``, ``libva``, ``python3-docutil``, ``python3-packaging``
+   - Enabled nativesdk recipes to find a correct version of the rust cross compiler
+   - Support creating per-toolchain cmake file in SDK
+
+- Rust enhancements:
+   
+   - New python_setuptools3_rust class to enable building python extensions in Rust
+   - classes/meson: Add optional rust definitions
+
+- QEMU / runqemu enhancements:
+
+   - qemu: Add knob for enabling PMDK pmem support
+   - qemu: add tpm string section to qemu acpi table
+   - qemu: Build on musl targets
+   - runqemu: support rootfs mounted ro
+   - runqemu: add :term:`DEPLOY_DIR_IMAGE` replacement in QB_OPT_APPEND
+   - runqemu: Allow auto-detection of the correct graphics options
+
+- Capped ``cpu_count()`` (used to set parallelisation defaults) to 64 since any higher usually hurts parallelisation
+- Adjust some GL-using recipes so that they only require virtual/egl
+- package_rpm: use zstd instead of xz
+- npm: new ``EXTRA_OENPM`` variable (to set node-gyp variables for example)
+- npm: new ``NPM_NODEDIR`` variable
+- perl: Enable threading
+- u-boot: Convert ${UBOOT_ENV}.cmd into ${UBOOT_ENV}.scr
+- u-boot: Split do_configure logic into separate file
+- go.bbclass: Allow adding parameters to go ldflags
+- go: log build id computations
+- scons: support out-of-tree builds
+- scripts: Add a conversion script to use SPDX license names
+- scripts: Add convert-variable-renames script for inclusive language variable renaming
+- binutils-cross-canadian: enable gold for mingw
+- grub-efi: Add option to include all available modules
+- bitbake.conf: allow wayland distro feature through for native/SDK builds
+- weston-init: Pass --continue-without-input when launching weston
+- weston: wrapper for weston modules argument
+- weston: Add a knob to control simple clients
+- uninative: Add version to uninative tarball name
+- volatile-binds: SELinux and overlayfs extensions in mount-copybind
+- gtk-icon-cache: Allow using gtk4
+- kmod: Add an exclude directive to depmod
+- os-release: add os-release-initrd package for use in systemd-based initramfs images
+- gstreamer1.0-plugins-base: add support for graphene
+- gpg-sign: Add parameters to gpg signature function
+- package_manager: sign DEB package feeds
+- zstd: add libzstd package
+- libical: build gobject and vala introspection
+- dhcpcd: add option to set DBDIR location
+- rpcbind: install rpcbind.conf
+- mdadm: install mdcheck
+- boost: add json lib
+- libxkbcommon: allow building of API documentation
+- libxkbcommon: split libraries and xkbcli into separate packages
+- systemd: move systemd shared library into its own package
+- systemd: Minimize udev package size if DISTRO_FEATURES doen't contain sysvinit
+
+Known Issues in 4.0
+~~~~~~~~~~~~~~~~~~~
+
+- ``make`` version 4.2.1 is known to be buggy on non-Ubuntu systems. If this ``make``
+  version is detected on host distributions other than Ubuntu at build start time,
+  then a warning will be displayed.
+
+Recipe License changes in 4.0
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+The following corrections have been made to the LICENSE values set by recipes:
+
+* cmake: add BSD-1-Clause & MIT & BSD-2-Clause to LICENSE due to additional vendored libraries in native/target context
+* gettext: extend LICENSE conditional upon PACKAGECONFIG (due to vendored libraries)
+* gstreamer1.0: update licenses of all modules to LGPL-2.1-or-later (with some exceptions that are GPL-2.0-or-later)
+* gstreamer1.0-plugins-bad/ugly: use the GPL-2.0-or-later only when it is in use
+* kern-tools-native: add missing MIT license due to Kconfiglib
+* libcap: add pam_cap license to LIC_FILES_CHKSUM if pam is enabled
+* libidn2: add Unicode-DFS-2016 license
+* libsdl2: add BSD-2-Clause to LICENSE due to default yuv2rgb and hidapi inclusion
+* libx11-compose-data: update LICENSE to "MIT & MIT-style & BSD-1-Clause & HPND & HPND-sell-variant" to better reflect reality
+* libx11: update LICENSE to "MIT & MIT-style & BSD-1-Clause & HPND & HPND-sell-variant" to better reflect reality
+* libxshmfence: correct LICENSE - MIT -> HPND
+* newlib: add BSD-3-Clause to LICENSE
+* python3-idna: correct LICENSE - Unicode -> Unicode-TOU
+* python3-pip: add "Apache-2.0 & MPL-2.0 & LGPL-2.1-only & BSD-3-Clause & PSF-2.0 & BSD-2-Clause" to LICENSE due to vendored libraries
+
+Other license-related notes:
+
+- The ambiguous "BSD" license has been removed from the ``common-licenses`` directory.
+  Each recipe that fetches or builds BSD-licensed code should specify the proper
+  version of the BSD license in its :term:`LICENSE` value.
+
+- :term:`LICENSE` definitions now have to use `SPDX identifiers <https://spdx.org/licenses/>`__.
+  A :oe_git:`convert-spdx-licenses.py </openembedded-core/tree/scripts/contrib/convert-spdx-licenses.py>`
+  script can be used to update your recipes.
+
+
+
+Security Fixes in 4.0
+~~~~~~~~~~~~~~~~~~~~~
+
+- binutils: :cve:`2021-42574`, :cve:`2021-45078`
+- curl: :cve:`2021-22945`, :cve:`2021-22946`, :cve:`2021-22947`
+- epiphany: :cve:`2021-45085`, :cve:`2021-45086`, :cve:`2021-45087`, :cve:`2021-45088`
+- expat: :cve:`2021-45960`, :cve:`2021-46143`, :cve:`2022-22822`, :cve:`2022-22823`, :cve:`2022-22824`, :cve:`2022-22825`, :cve:`2022-22826`, :cve:`2022-22827`, :cve:`2022-23852`, :cve:`2022-23990`, :cve:`2022-25235`, :cve:`2022-25236`, :cve:`2022-25313`, :cve:`2022-25314`, :cve:`2022-25315`
+- ffmpeg: :cve:`2021-38114`
+- gcc: :cve:`2021-35465`, :cve:`2021-42574`, :cve:`2021-46195`, :cve:`2022-24765`
+- glibc: :cve:`2021-3998`, :cve:`2021-3999`, :cve:`2021-43396`, :cve:`2022-23218`, :cve:`2022-23219`
+- gmp: :cve:`2021-43618`
+- go: :cve:`2021-41771` and :cve:`2021-41772`
+- grub2: :cve:`2021-3981`
+- gzip: :cve:`2022-1271`
+- libarchive : :cve:`2021-31566`, :cve:`2021-36976`
+- libxml2: :cve:`2022-23308`
+- libxslt: :cve:`2021-30560`
+- lighttpd: :cve:`2022-22707`
+- linux-yocto/5.10: amdgpu: :cve:`2021-42327`
+- lua: :cve:`2021-43396`
+- openssl: :cve:`2021-4044`, :cve:`2022-0778`
+- qemu: :cve:`2022-1050`, :cve:`2022-26353`, :cve:`2022-26354`
+- rpm: :cve:`2021-3521`
+- seatd: :cve:`2022-25643`
+- speex: :cve:`2020-23903`
+- squashfs-tools: :cve:`2021-41072`
+- systemd: :cve:`2021-4034`
+- tiff: :cve:`2022-0561`, :cve:`2022-0562`, :cve:`2022-0865`, :cve:`2022-0891`, :cve:`2022-0907`, :cve:`2022-0908`, :cve:`2022-0909`, :cve:`2022-0924`, :cve:`2022-1056`, :cve:`2022-22844`
+- unzip: :cve:`2021-4217`
+- vim: :cve:`2021-3796`, :cve:`2021-3872`, :cve:`2021-3875`, :cve:`2021-3927`, :cve:`2021-3928`, :cve:`2021-3968`, :cve:`2021-3973`, :cve:`2021-4187`, :cve:`2022-0128`, :cve:`2022-0156`, :cve:`2022-0158`, :cve:`2022-0261`, :cve:`2022-0318`, :cve:`2022-0319`, :cve:`2022-0554`, :cve:`2022-0696`, :cve:`2022-0714`, :cve:`2022-0729`, :cve:`2022-0943`
+- virglrenderer: :cve:`2022-0135`, :cve:`2022-0175`
+- webkitgtk: :cve:`2022-22589`, :cve:`2022-22590`, :cve:`2022-22592`
+- xz: :cve:`2022-1271`
+- zlib: :cve:`2018-25032`
+
+
+
+Recipe Upgrades in 4.0
+~~~~~~~~~~~~~~~~~~~~~~
+
+- acpica: upgrade 20210730 -> 20211217
+- acpid: upgrade 2.0.32 -> 2.0.33
+- adwaita-icon-theme: update 3.34/38 -> 41.0
+- alsa-ucm-conf: upgrade 1.2.6.2 -> 1.2.6.3
+- alsa: upgrade 1.2.5 -> 1.2.6
+- apt: upgrade 2.2.4 -> 2.4.3
+- asciidoc: upgrade 9.1.0 -> 10.0.0
+- atk: upgrade 2.36.0 -> 2.38.0
+- at-spi2-core: upgrade 2.40.3 -> 2.42.0
+- at: update 3.2.2 -> 3.2.5
+- autoconf-archive: upgrade 2021.02.19 -> 2022.02.11
+- automake: update 1.16.3 -> 1.16.5
+- bash: upgrade 5.1.8 -> 5.1.16
+- bind: upgrade 9.16.20 -> 9.18.1
+- binutils: Bump to latest 2.38 release branch
+- bison: upgrade 3.7.6 -> 3.8.2
+- bluez5: upgrade 5.61 -> 5.64
+- boost: update 1.77.0 -> 1.78.0
+- btrfs-tools: upgrade 5.13.1 -> 5.16.2
+- buildtools-installer: Update to use 3.4
+- busybox: 1.34.0 -> 1.35.0
+- ca-certificates: update 20210119 -> 20211016
+- cantarell-fonts: update 0.301 -> 0.303.1
+- ccache: upgrade 4.4 -> 4.6
+- cmake: update 3.21.1 -> 3.22.3
+- connman: update 1.40 -> 1.41
+- coreutils: update 8.32 -> 9.0
+- cracklib: update 2.9.5 -> 2.9.7
+- createrepo-c: upgrade 0.17.4 -> 0.19.0
+- cronie: upgrade 1.5.7 -> 1.6.0
+- cups: update 2.3.3op2 -> 2.4.1
+- curl: update 7.78.0 -> 7.82.0
+- dbus: upgrade 1.12.20 -> 1.14.0
+- debianutils: update 4.11.2 -> 5.7
+- dhcpcd: upgrade 9.4.0 -> 9.4.1
+- diffoscope: upgrade 181 -> 208
+- dnf: upgrade 4.8.0 -> 4.11.1
+- dpkg: update 1.20.9 ->  1.21.4
+- e2fsprogs: upgrade 1.46.4 -> 1.46.5
+- ed: upgrade 1.17 -> 1.18
+- efivar: update 37 -> 38
+- elfutils: update 0.185 -> 0.186
+- ell: upgrade 0.43 -> 0.49
+- enchant2: upgrade 2.3.1 -> 2.3.2
+- epiphany: update 40.3 -> 42.0
+- erofs-utils: update 1.3 -> 1.4
+- ethtool: update to 5.16
+- expat: upgrade 2.4.1 -> 2.4.7
+- ffmpeg: update 4.4 -> 5.0
+- file: upgrade 5.40 -> 5.41
+- findutils: upgrade 4.8.0 -> 4.9.0
+- flac: upgrade 1.3.3 -> 1.3.4
+- freetype: upgrade 2.11.0 -> 2.11.1
+- fribidi: upgrade 1.0.10 -> 1.0.11
+- gawk: update 5.1.0 -> 5.1.1
+- gcompat: Update to latest
+- gdbm: upgrade 1.19 -> 1.23
+- gdb: Upgrade to 11.2
+- ghostscript: update 9.54.0 -> 9.55.0
+- gi-docgen: upgrade 2021.7 -> 2022.1
+- git: update 2.33.0 -> 2.35.2
+- glib-2.0: update 2.68.4 -> 2.72.0
+- glibc: Upgrade to 2.35
+- glib-networking: update 2.68.2 -> 2.72.0
+- glslang: update 11.5.0 -> 11.8.0
+- gnu-config: update to latest revision
+- gnupg: update 2.3.1 -> 2.3.4
+- gnutls: update 3.7.2 -> 3.7.4
+- gobject-introspection: upgrade 1.68.0 -> 1.72.0
+- go-helloworld: update to latest revision
+- go: update 1.16.7 -> 1.17.8
+- gpgme: upgrade 1.16.0 -> 1.17.1
+- gsettings-desktop-schemas: upgrade 40.0 -> 42.0
+- gst-devtools: 1.18.4 -> 1.20.1
+- gst-examples: 1.18.4 -> 1.18.6
+- gstreamer1.0: 1.18.4 -> 1.20.1
+- gstreamer1.0-libav: 1.18.4 -> 1.20.1
+- gstreamer1.0-omx: 1.18.4 -> 1.20.1
+- gstreamer1.0-plugins-bad: 1.18.4  1.20.1
+- gstreamer1.0-plugins-base: 1.18.4 -> 1.20.1
+- gstreamer1.0-plugins-good: 1.18.4 -> 1.20.1
+- gstreamer1.0-plugins-ugly: 1.18.4 -> 1.20.1
+- gstreamer1.0-python: 1.18.4 -> 1.20.1
+- gstreamer1.0-rtsp-server: 1.18.4 -> 1.20.1
+- gstreamer1.0-vaapi: 1.18.4 -> 1.20.1
+- gtk+3: upgrade 3.24.30 -> 3.24.33
+- gzip: upgrade 1.10 -> 1.12
+- harfbuzz: upgrade 2.9.0 -> 4.0.1
+- hdparm: upgrade 9.62 -> 9.63
+- help2man: upgrade 1.48.4 -> 1.49.1
+- icu: update 69.1 -> 70.1
+- ifupdown: upgrade 0.8.36 -> 0.8.37
+- inetutils: update 2.1 -> 2.2
+- init-system-helpers: upgrade 1.60 -> 1.62
+- iproute2: update to 5.17.0
+- iputils: update 20210722 to 20211215
+- iso-codes: upgrade 4.6.0 -> 4.9.0
+- itstool: update 2.0.6 -> 2.0.7
+- iw: upgrade 5.9 -> 5.16
+- json-glib: upgrade 1.6.4 -> 1.6.6
+- kea: update 1.8.2 -> 2.0.2
+- kexec-tools: update 2.0.22 -> 2.0.23
+- less: upgrade 590 -> 600
+- libarchive: upgrade 3.5.1 -> 3.6.1
+- libatomic-ops: upgrade 7.6.10 -> 7.6.12
+- libbsd: upgrade 0.11.3 -> 0.11.5
+- libcap: update 2.51 -> 2.63
+- libcgroup: upgrade 2.0 -> 2.0.1
+- libcomps: upgrade 0.1.17 -> 0.1.18
+- libconvert-asn1-perl: upgrade 0.31 -> 0.33
+- libdazzle: upgrade 3.40.0 -> 3.44.0
+- libdnf: update 0.63.1 -> 0.66.0
+- libdrm: upgrade 2.4.107 -> 2.4.110
+- libedit: upgrade 20210714-3.1 -> 20210910-3.1
+- liberation-fonts: update 2.1.4 -> 2.1.5
+- libevdev: upgrade 1.11.0 -> 1.12.1
+- libexif: update 0.6.22 -> 0.6.24
+- libgit2: update 1.1.1 -> 1.4.2
+- libgpg-error: update 1.42 -> 1.44
+- libhandy: update 1.2.3 -> 1.5.0
+- libical: upgrade 3.0.10 -> 3.0.14
+- libinput: update to 1.19.3
+- libjitterentropy: update 3.1.0 -> 3.4.0
+- libjpeg-turbo: upgrade 2.1.1 -> 2.1.3
+- libmd: upgrade 1.0.3 -> 1.0.4
+- libmicrohttpd: upgrade 0.9.73 -> 0.9.75
+- libmodulemd: upgrade 2.13.0 -> 2.14.0
+- libpam: update 1.5.1 -> 1.5.2
+- libpcre2: upgrade 10.37 -> 10.39
+- libpipeline: upgrade 1.5.3 -> 1.5.5
+- librepo: upgrade 1.14.1 -> 1.14.2
+- librsvg: update 2.40.21 -> 2.52.7
+- libsamplerate0: update 0.1.9 -> 0.2.2
+- libsdl2: update 2.0.16 -> 2.0.20
+- libseccomp: update to 2.5.3
+- libsecret: upgrade 0.20.4 -> 0.20.5
+- libsndfile1: bump to version 1.0.31
+- libsolv: upgrade 0.7.19 -> 0.7.22
+- libsoup-2.4: upgrade 2.72.0 -> 2.74.2
+- libsoup: add a recipe for 3.0.5
+- libssh2: update 1.9.0 -> 1.10.0
+- libtasn1: upgrade 4.17.0 -> 4.18.0
+- libtool: Upgrade 2.4.6 -> 2.4.7
+- libucontext: Upgrade to 1.2 release
+- libunistring: update 0.9.10 -> 1.0
+- libunwind: upgrade 1.5.0 -> 1.6.2
+- liburcu: upgrade 0.13.0 -> 0.13.1
+- libusb1: upgrade 1.0.24 -> 1.0.25
+- libuv: update 1.42.0 -> 1.44.1
+- libva: update 2.12.0 -> 2.14.0
+- libva-utils: upgrade 2.13.0 -> 2.14.0
+- libwebp: 1.2.1 -> 1.2.2
+- libwpe: upgrade 1.10.1 -> 1.12.0
+- libx11: update to 1.7.3.1
+- libxcrypt: upgrade 4.4.26 -> 4.4.27
+- libxcrypt-compat: upgrade 4.4.26 -> 4.4.27
+- libxi: update to 1.8
+- libxkbcommon: update to 1.4.0
+- libxml2: update to 2.9.13
+- libxslt: update to v1.1.35
+- lighttpd: update 1.4.59 -> 1.4.64
+- linux-firmware: upgrade 20210818 -> 20220310
+- linux-libc-headers: update to v5.16
+- linux-yocto/5.10: update to v5.10.109
+- linux-yocto/5.15: introduce recipes (v5.15.32)
+- linux-yocto-dev: update to v5.18+
+- linux-yocto-rt/5.10: update to -rt61
+- linux-yocto-rt/5.15: update to -rt34
+- llvm: update 12.0.1 -> 13.0.1
+- logrotate: update 3.18.1 -> 3.19.0
+- lsof: update 4.91 -> 4.94.0
+- ltp: update 20210927 -> 20220121
+- ltp: Update to 20210927
+- lttng-modules: update devupstream to latest 2.13
+- lttng-modules: update to 2.13.3
+- lttng-tools: upgrade 2.13.0 -> 2.13.4
+- lttng-ust: upgrade 2.13.0 -> 2.13.2
+- lua: update 5.3.6 -> 5.4.4
+- lzip: upgrade 1.22 -> 1.23
+- man-db: upgrade 2.9.4 -> 2.10.2
+- man-pages: update to 5.13
+- mdadm: update 4.1 -> 4.2
+- mesa: upgrade 21.2.1 -> 22.0.0
+- meson: update 0.58.1 -> 0.61.3
+- minicom: Upgrade 2.7.1 -> 2.8
+- mmc-utils: upgrade to latest revision
+- mobile-broadband-provider-info: upgrade 20210805 -> 20220315
+- mpg123: upgrade 1.28.2 -> 1.29.3
+- msmtp: upgrade 1.8.15 -> 1.8.20
+- mtd-utils: upgrade 2.1.3 -> 2.1.4
+- mtools: upgrade 4.0.35 -> 4.0.38
+- musl: Update to latest master
+- ncurses: update 6.2 -> 6.3
+- newlib: Upgrade 4.1.0 -> 4.2.0
+- nfs-utils: upgrade 2.5.4 -> 2.6.1
+- nghttp2: upgrade 1.45.1 -> 1.47.0
+- ofono: upgrade 1.32 -> 1.34
+- opensbi: Upgrade to 1.0
+- openssh: upgrade 8.7p1 -> 8.9
+- openssl: update 1.1.1l -> 3.0.2
+- opkg: upgrade 0.4.5 -> 0.5.0
+- opkg-utils: upgrade 0.4.5 -> 0.5.0
+- ovmf: update 202105 -> 202202
+- p11-kit: update 0.24.0 -> 0.24.1
+- pango: upgrade 1.48.9 -> 1.50.4
+- patchelf: upgrade 0.13 -> 0.14.5
+- perl-cross: update 1.3.6 -> 1.3.7
+- perl: update 5.34.0 -> 5.34.1
+- piglit: upgrade to latest revision
+- pigz: upgrade 2.6 -> 2.7
+- pinentry: update 1.1.1 -> 1.2.0
+- pkgconfig: Update to latest
+- psplash: upgrade to latest revision
+- puzzles: upgrade to latest revision
+- python3-asn1crypto: upgrade 1.4.0 -> 1.5.1
+- python3-attrs: upgrade 21.2.0 -> 21.4.0
+- python3-cryptography: Upgrade to 36.0.2
+- python3-cryptography-vectors: upgrade to 36.0.2
+- python3-cython: upgrade 0.29.24 -> 0.29.28
+- python3-dbusmock: update to 0.27.3
+- python3-docutils: upgrade 0.17.1 0.18.1
+- python3-dtschema: upgrade 2021.10 -> 2022.1
+- python3-gitdb: upgrade 4.0.7 -> 4.0.9
+- python3-git: update to 3.1.27
+- python3-hypothesis: upgrade 6.15.0 -> 6.39.5
+- python3-imagesize: upgrade 1.2.0 -> 1.3.0
+- python3-importlib-metadata: upgrade 4.6.4 -> 4.11.3
+- python3-jinja2: upgrade 3.0.1 -> 3.1.1
+- python3-jsonschema: upgrade 3.2.0 -> 4.4.0
+- python3-libarchive-c: upgrade 3.1 -> 4.0
+- python3-magic: upgrade 0.4.24 -> 0.4.25
+- python3-mako: upgrade 1.1.5 -> 1.1.6
+- python3-markdown: upgrade 3.3.4 -> 3.3.6
+- python3-markupsafe: upgrade 2.0.1 -> 2.1.1
+- python3-more-itertools: upgrade 8.8.0 -> 8.12.0
+- python3-numpy: upgrade 1.21.2 -> 1.22.3
+- python3-packaging: upgrade 21.0 -> 21.3
+- python3-pathlib2: upgrade 2.3.6 -> 2.3.7
+- python3-pbr: upgrade 5.6.0 -> 5.8.1
+- python3-pip: update 21.2.4 -> 22.0.3
+- python3-pycairo: upgrade 1.20.1 -> 1.21.0
+- python3-pycryptodome: upgrade 3.10.1 -> 3.14.1
+- python3-pyelftools: upgrade 0.27 -> 0.28
+- python3-pygments: upgrade 2.10.0 -> 2.11.2
+- python3-pygobject: upgrade 3.40.1 -> 3.42.0
+- python3-pyparsing: update to 3.0.7
+- python3-pyrsistent: upgrade 0.18.0 -> 0.18.1
+- python3-pytest-runner: upgrade 5.3.1 -> 6.0.0
+- python3-pytest-subtests: upgrade 0.6.0 -> 0.7.0
+- python3-pytest: upgrade 6.2.4 -> 7.1.1
+- python3-pytz: upgrade 2021.3 -> 2022.1
+- python3-py: upgrade 1.10.0 -> 1.11.0
+- python3-pyyaml: upgrade 5.4.1 -> 6.0
+- python3-ruamel-yaml: upgrade 0.17.16 -> 0.17.21
+- python3-scons: upgrade 4.2.0 -> 4.3.0
+- python3-setuptools-scm: upgrade 6.0.1 -> 6.4.2
+- python3-setuptools: update to 59.5.0
+- python3-smmap: update to 5.0.0
+- python3-tomli: upgrade 1.2.1 -> 2.0.1
+- python3: update to 3.10.3
+- python3-urllib3: upgrade 1.26.8 -> 1.26.9
+- python3-zipp: upgrade 3.5.0 -> 3.7.0
+- qemu: update 6.0.0 -> 6.2.0
+- quilt: upgrade 0.66 -> 0.67
+- re2c: upgrade 2.2 -> 3.0
+- readline: upgrade 8.1 -> 8.1.2
+- repo: upgrade 2.17.3 -> 2.22
+- resolvconf: update 1.87 -> 1.91
+- rng-tools: upgrade 6.14 -> 6.15
+- rpcsvc-proto: upgrade 1.4.2 -> 1.4.3
+- rpm: update 4.16.1.3 -> 4.17.0
+- rt-tests: update 2.1 -> 2.3
+- ruby: update 3.0.2 -> 3.1.1
+- rust: update 1.54.0 -> 1.59.0
+- rxvt-unicode: upgrade 9.26 -> 9.30
+- screen: upgrade 4.8.0 -> 4.9.0
+- shaderc: update 2021.1 -> 2022.1
+- shadow: upgrade 4.9 -> 4.11.1
+- socat: upgrade 1.7.4.1 -> 1.7.4.3
+- spirv-headers: bump to b42ba6 revision
+- spirv-tools: update 2021.2 -> 2022.1
+- sqlite3: upgrade 3.36.0 -> 3.38.2
+- strace: update 5.14 -> 5.16
+- stress-ng: upgrade 0.13.00 -> 0.13.12
+- sudo: update 1.9.7p2 -> 1.9.10
+- sysklogd: upgrade 2.2.3 -> 2.3.0
+- sysstat: upgrade 12.4.3 -> 12.4.5
+- systemd: update 249.3 -> 250.4
+- systemtap: upgrade 4.5 -> 4.6
+- sysvinit: upgrade 2.99 -> 3.01
+- tzdata: update to 2022a
+- u-boot: upgrade 2021.07 -> 2022.01
+- uninative: Upgrade to 3.6 with gcc 12 support
+- util-linux: update 2.37.2 -> 2.37.4
+- vala: upgrade 0.52.5 -> 0.56.0
+- valgrind: update 3.17.0 -> 3.18.1
+- vim: upgrade to 8.2 patch 4681
+- vte: upgrade 0.64.2 -> 0.66.2
+- vulkan-headers: upgrade 1.2.182 -> 1.2.191
+- vulkan-loader: upgrade 1.2.182 -> 1.2.198.1
+- vulkan-samples: update to latest revision
+- vulkan-tools: upgrade 1.2.182 -> 1.2.191
+- vulkan: update 1.2.191.0 -> 1.3.204.1
+- waffle: update 1.6.1 -> 1.7.0
+- wayland-protocols: upgrade 1.21 -> 1.25
+- wayland: upgrade 1.19.0 -> 1.20.0
+- webkitgtk: upgrade 2.34.0 -> 2.36.0
+- weston: upgrade 9.0.0 -> 10.0.0
+- wget: update 1.21.1 -> 1.21.3
+- wireless-regdb: upgrade 2021.07.14 -> 2022.02.18
+- wpa-supplicant: update 2.9 -> 2.10
+- wpebackend-fdo: upgrade 1.10.0 -> 1.12.0
+- xauth: upgrade 1.1 -> 1.1.1
+- xf86-input-libinput: update to 1.2.1
+- xf86-video-intel: update to latest commit
+- xkeyboard-config: update to 2.35.1
+- xorgproto: update to 2021.5
+- xserver-xorg: update 1.20.13 -> 21.1.3
+- xwayland: update 21.1.2 -> 22.1.0
+- xxhash: upgrade 0.8.0 -> 0.8.1
+- zstd: update 1.5.0 -> 1.5.2
+
+
+
+Contributors to 4.0
+~~~~~~~~~~~~~~~~~~~
+
+Thanks to the following people who contributed to this release:
+
+- Abongwa Amahnui Bonalais
+- Adriaan Schmidt
+- Adrian Freihofer
+- Ahmad Fatoum
+- Ahmed Hossam
+- Ahsan Hussain
+- Alejandro Hernandez Samaniego
+- Alessio Igor Bogani
+- Alexander Kanavin
+- Alexandre Belloni
+- Alexandru Ardelean
+- Alexey Brodkin
+- Alex Stewart
+- Andreas Müller
+- Andrei Gherzan
+- Andrej Valek
+- Andres Beltran
+- Andrew Jeffery
+- Andrey Zhizhikin
+- Anton Mikanovich
+- Anuj Mittal
+- Bill Pittman
+- Bruce Ashfield
+- Caner Altinbasak
+- Carlos Rafael Giani
+- Chaitanya Vadrevu
+- Changhyeok Bae
+- Changqing Li
+- Chen Qi
+- Christian Eggers
+- Claudius Heine
+- Claus Stovgaard
+- Daiane Angolini
+- Daniel Ammann
+- Daniel Gomez
+- Daniel McGregor
+- Daniel Müller
+- Daniel Wagenknecht
+- David Joyner
+- David Reyna
+- Denys Dmytriyenko
+- Dhruva Gole
+- Diego Sueiro
+- Dmitry Baryshkov
+- Ferry Toth
+- Florian Amstutz
+- Henry Kleynhans
+- He Zhe
+- Hongxu Jia
+- Hsia-Jun(Randy) Li
+- Ian Ray
+- Jacob Kroon
+- Jagadeesh Krishnanjanappa
+- Jasper Orschulko
+- Jim Wilson
+- Joel Winarske
+- Joe Slater
+- Jon Mason
+- Jose Quaresma
+- Joshua Watt
+- Justin Bronder
+- Kai Kang
+- Kamil Dziezyk
+- Kevin Hao
+- Khairul Rohaizzat Jamaluddin
+- Khem Raj
+- Kiran Surendran
+- Konrad Weihmann
+- Kory Maincent
+- Lee Chee Yang
+- Leif Middelschulte
+- Lei Maohui
+- Li Wang
+- Liwei Song
+- Luca Boccassi
+- Lukasz Majewski
+- Luna Gräfje
+- Manuel Leonhardt
+- Marek Vasut
+- Mark Hatle
+- Markus Niebel
+- Markus Volk
+- Marta Rybczynska
+- Martin Beeger
+- Martin Jansa
+- Matthias Klein
+- Matt Madison
+- Maximilian Blenk
+- Max Krummenacher
+- Michael Halstead
+- Michael Olbrich
+- Michael Opdenacker
+- Mike Crowe
+- Ming Liu
+- Mingli Yu
+- Minjae Kim
+- Nicholas Sielicki
+- Olaf Mandel
+- Oleh Matiusha
+- Oleksandr Kravchuk
+- Oleksandr Ocheretnyi
+- Oleksandr Suvorov
+- Oleksiy Obitotskyy
+- Otavio Salvador
+- Pablo Saavedra
+- Paul Barker
+- Paul Eggleton
+- Pavel Zhukov
+- Peter Hoyes
+- Peter Kjellerstedt
+- Petr Vorel
+- Pgowda
+- Quentin Schulz
+- Ralph Siemsen
+- Randy Li
+- Randy MacLeod
+- Rasmus Villemoes
+- Ricardo Salveti
+- Richard Neill
+- Richard Purdie
+- Robert Joslyn
+- Robert P. J. Day
+- Robert Yang
+- Ross Burton
+- Rudolf J Streif
+- Sakib Sajal
+- Samuli Piippo
+- Saul Wold
+- Scott Murray
+- Sean Anderson
+- Simone Weiss
+- Simon Kuhnle
+- S. Lockwood-Childs
+- Stefan Herbrechtsmeier
+- Steve Sakoman
+- Sundeep KOKKONDA
+- Tamizharasan Kumar
+- Tean Cunningham
+- Teoh Jay Shen
+- Thomas Perrot
+- Tim Orling
+- Tobias Kaufmann
+- Tom Hochstein
+- Tony McDowell
+- Trevor Gamblin
+- Ulrich Ölmann
+- Valerii Chernous
+- Vivien Didelot
+- Vyacheslav Yurkov
+- Wang Mingyu
+- Xavier Berger
+- Yi Zhao
+- Yongxin Liu
+- Yureka
+- Zev Weiss
+- Zheng Ruoqin
+- Zoltán Böszörményi
+- Zygmunt Krynicki
+
+
+
+Repositories / Downloads for 4.0
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+
+poky
+
+-  Repository Location: https://git.yoctoproject.org/git/poky
+-  Branch: :yocto_git:`kirkstone </poky/log/?h=kirkstone>`
+-  Tag: :yocto_git:`yocto-4.0 </poky/tag/?h=yocto-4.0>`
+-  Git Revision: :yocto_git:`00cfdde791a0176c134f31e5a09eff725e75b905 </poky/commit/?id=00cfdde791a0176c134f31e5a09eff725e75b905>`
+-  Release Artefact: poky-00cfdde791a0176c134f31e5a09eff725e75b905
+-  sha: 4cedb491b7bf0d015768c61690f30d7d73f4266252d6fba907bba97eac83648c
+-  Download Locations:
+   http://downloads.yoctoproject.org/releases/yocto/yocto-4.0/poky-00cfdde791a0176c134f31e5a09eff725e75b905.tar.bz2
+   http://mirrors.kernel.org/yocto/yocto/yocto-4.0/poky-00cfdde791a0176c134f31e5a09eff725e75b905.tar.bz2
+
+openembedded-core
+
+-  Repository Location: :oe_git:`/openembedded-core`
+-  Branch: :oe_git:`kirkstone </openembedded-core/log/?h=kirkstone>`
+-  Tag: :oe_git:`yocto-4.0 </openembedded-core/tag/?h=yocto-4.0>`
+-  Git Revision: :oe_git:`92fcb6570bddd0c5717d8cfdf38ecf3e44942b0f </openembedded-core/commit/?id=92fcb6570bddd0c5717d8cfdf38ecf3e44942b0f>`
+-  Release Artefact: oecore-92fcb6570bddd0c5717d8cfdf38ecf3e44942b0f
+-  sha: c042629752543a10b0384b2076b1ee8742fa5e8112aef7b00b3621f8387a51c6
+-  Download Locations:
+   http://downloads.yoctoproject.org/releases/yocto/yocto-4.0/oecore-92fcb6570bddd0c5717d8cfdf38ecf3e44942b0f.tar.bz2
+   http://mirrors.kernel.org/yocto/yocto/yocto-4.0/oecore-92fcb6570bddd0c5717d8cfdf38ecf3e44942b0f.tar.bz2
+
+meta-mingw
+
+-  Repository Location: https://git.yoctoproject.org/git/meta-mingw
+-  Branch: :yocto_git:`kirkstone </meta-mingw/log/?h=kirkstone>`
+-  Tag: :yocto_git:`yocto-4.0 </meta-mingw/tag/?h=yocto-4.0>`
+-  Git Revision: :yocto_git:`a90614a6498c3345704e9611f2842eb933dc51c1 </meta-mingw/commit/?id=a90614a6498c3345704e9611f2842eb933dc51c1>`
+-  Release Artefact: meta-mingw-a90614a6498c3345704e9611f2842eb933dc51c1
+-  sha: 49f9900bfbbc1c68136f8115b314e95d0b7f6be75edf36a75d9bcd1cca7c6302
+-  Download Locations:
+   http://downloads.yoctoproject.org/releases/yocto/yocto-4.0/meta-mingw-a90614a6498c3345704e9611f2842eb933dc51c1.tar.bz2
+   http://mirrors.kernel.org/yocto/yocto/yocto-4.0/meta-mingw-a90614a6498c3345704e9611f2842eb933dc51c1.tar.bz2
+
+meta-gplv2
+
+-  Repository Location: https://git.yoctoproject.org/git/meta-gplv2
+-  Branch: :yocto_git:`kirkstone </meta-gplv2/log/?h=kirkstone>`
+-  Tag: :yocto_git:`yocto-4.0 </meta-gplv2/tag/?h=yocto-4.0>`
+-  Git Revision: :yocto_git:`d2f8b5cdb285b72a4ed93450f6703ca27aa42e8a </meta-mingw/commit/?id=d2f8b5cdb285b72a4ed93450f6703ca27aa42e8a>`
+-  Release Artefact: meta-gplv2-d2f8b5cdb285b72a4ed93450f6703ca27aa42e8a
+-  sha: c386f59f8a672747dc3d0be1d4234b6039273d0e57933eb87caa20f56b9cca6d
+-  Download Locations:
+   http://downloads.yoctoproject.org/releases/yocto/yocto-4.0/meta-gplv2-d2f8b5cdb285b72a4ed93450f6703ca27aa42e8a.tar.bz2
+   http://mirrors.kernel.org/yocto/yocto/yocto-4.0/meta-gplv2-d2f8b5cdb285b72a4ed93450f6703ca27aa42e8a.tar.bz2
+
+bitbake
+
+-  Repository Location: :oe_git:`/bitbake`
+-  Branch: :oe_git:`2.0 </bitbake/log/?h=2.0>`
+-  Tag: :oe_git:`yocto-4.0 </bitbake/tag/?h=yocto-4.0>`
+-  Git Revision: :oe_git:`c212b0f3b542efa19f15782421196b7f4b64b0b9 </bitbake/commit/?id=c212b0f3b542efa19f15782421196b7f4b64b0b9>`
+-  Release Artefact: bitbake-c212b0f3b542efa19f15782421196b7f4b64b0b9
+-  sha: 6872095c7d7be5d791ef3e18b6bab2d1e0e237962f003d2b00dc7bd6fb6d2ef7
+-  Download Locations:
+   http://downloads.yoctoproject.org/releases/yocto/yocto-4.0/bitbake-c212b0f3b542efa19f15782421196b7f4b64b0b9.tar.bz2
+   http://mirrors.kernel.org/yocto/yocto/yocto-4.0/bitbake-c212b0f3b542efa19f15782421196b7f4b64b0b9.tar.bz2
+
+yocto-docs
+
+-  Repository Location: https://git.yoctoproject.org/git/yocto-docs
+-  Branch: :yocto_git:`kirkstone </yocto-docs/log/?h=kirkstone>`
+-  Tag: :yocto_git:`yocto-4.0 </yocto-docs/tag/?h=yocto-4.0>`
+-  Git Revision: :yocto_git:`a6f571ad5b087385cad8765ed455c4b4eaeebca6 </yocto-docs/commit/?id=a6f571ad5b087385cad8765ed455c4b4eaeebca6>`
+

documentation/poky.yaml.in

@@ -1,10 +1,10 @@
-DISTRO : "3.4.3"
-DISTRO_NAME_NO_CAP : "honister"
-DISTRO_NAME : "Honister"
-DISTRO_NAME_NO_CAP_MINUS_ONE : "hardknott"
+DISTRO : "4.0"
+DISTRO_NAME_NO_CAP : "kirkstone"
+DISTRO_NAME : "Kirkstone"
+DISTRO_NAME_NO_CAP_MINUS_ONE : "honister"
 DISTRO_NAME_NO_CAP_LTS : "dunfell"
-YOCTO_DOC_VERSION : "3.4.3"
-DISTRO_REL_TAG : "yocto-3.4.3"
+YOCTO_DOC_VERSION : "4.0"
+DISTRO_REL_TAG : "yocto-4.0"
 DOCCONF_VERSION : "dev"
 BITBAKE_SERIES : ""
 YOCTO_DL_URL : "https://downloads.yoctoproject.org"

documentation/ref-manual/classes.rst

@@ -576,6 +576,14 @@ Finally, here is an example that sets the root password::
        usermod -p '${PASSWD}' root; \
        "
 
+.. note::
+
+   From a security perspective, hardcoding a default password is not
+   generally a good idea or even legal in some jurisdictions. It is 
+   recommended that you do not do this if you are building a production 
+   image.
+
+
 .. _ref-classes-features_check:
 
 ``features_check.bbclass``
@@ -1032,6 +1040,11 @@ Here are the tests you can list with the :term:`WARN_QA` and
    cases, such as dynamically loaded modules, these symlinks
    are needed instead in the main package.
 
+-  ``empty-dirs:`` Checks that packages are not installing files to
+   directories that are normally expected to be empty (such as ``/tmp``)
+   The list of directories that are checked is specified by the
+   :term:`QA_EMPTY_DIRS` variable.
+
 -  ``file-rdeps:`` Checks that file-level dependencies identified by
    the OpenEmbedded build system at packaging time are satisfied. For
    example, a shell script might start with the line ``#!/bin/bash``.

documentation/ref-manual/qa-checks.rst

@@ -154,7 +154,16 @@ Errors and Warnings
    ``FILES:${PN}-dbg``. See :term:`FILES` for additional
    information on :term:`FILES`.
 
-    
+.. _qa-check-empty-dirs:
+
+-  ``<packagename> installs files in <path>, but it is expected to be empty [empty-dirs]``
+
+   The specified package is installing files into a directory that is
+   normally expected to be empty (such as ``/tmp``). These files may
+   be more appropriately installed to a different location, or
+   perhaps alternatively not installed at all, usually by updating the
+   ``do_install`` task/function.
+
 .. _qa-check-arch:
 
 -  ``Architecture did not match (<file_arch>, expected <machine_arch>) in <file> [arch]``

documentation/ref-manual/variables.rst

@@ -1485,6 +1485,13 @@ system and gives an overview of their function and contents.
 
          CVE_PRODUCT = "oracle_berkeley_db berkeley_db"
 
+      Sometimes the product name is not specific enough, for example
+      "tar" has been matching CVEs for the GNU ``tar`` package and also
+      the ``node-tar`` node.js extension. To avoid this problem, use the
+      vendor name as a prefix. The syntax for this is::
+
+         CVE_PRODUCT = "vendor:package"
+
    :term:`CVSDIR`
       The directory in which files checked out under the CVS system are
       stored.
@@ -2331,6 +2338,37 @@ system and gives an overview of their function and contents.
          # usermod -s /bin/sh tester; \
          # "
 
+      Hardcoded passwords are supported via the ``-p`` parameters for
+      ``useradd`` or ``usermod``, but only hashed.
+
+      Here is an example that adds two users named "tester-jim" and "tester-sue" and assigns
+      passwords. First on host, create the (escaped) password hash::
+
+         printf "%q" $(mkpasswd -m sha256crypt tester01)
+
+      The resulting hash is set to a variable and used in ``useradd`` command parameters::
+
+         inherit extrausers
+         PASSWD = "\$X\$ABC123\$A-Long-Hash"
+         EXTRA_USERS_PARAMS = "\
+             useradd -p '${PASSWD}' tester-jim; \
+             useradd -p '${PASSWD}' tester-sue; \
+             "
+
+      Finally, here is an example that sets the root password::
+
+         inherit extrausers
+         EXTRA_USERS_PARAMS = "\
+             usermod -p '${PASSWD}' root; \
+             "
+
+      .. note::
+
+         From a security perspective, hardcoding a default password is not
+         generally a good idea or even legal in some jurisdictions. It is 
+         recommended that you do not do this if you are building a production 
+         image.
+
       Additionally there is a special ``passwd-expire`` command that will
       cause the password for a user to be expired and thus force changing it
       on first login, for example::
@@ -3485,6 +3523,14 @@ system and gives an overview of their function and contents.
       incompatible licenses are not built. Packages that are individually
       licensed with the specified incompatible licenses will be deleted.
 
+      There is some support for wildcards in this variable's value,
+      however it is restricted to specific licenses. Currently only
+      these wildcards are allowed and expand as follows:
+
+      - ``AGPL-3.0*"``: ``AGPL-3.0-only``, ``AGPL-3.0-or-later``
+      - ``GPL-3.0*``: ``GPL-3.0-only``, ``GPL-3.0-or-later``
+      - ``LGPL-3.0*``: ``LGPL-3.0-only``, ``LGPL-3.0-or-later``
+
       .. note::
 
          This functionality is only regularly tested using the following
@@ -3938,6 +3984,11 @@ system and gives an overview of their function and contents.
       custom kernel image types with the :ref:`kernel <ref-classes-kernel>` class using this
       variable.
 
+   :term:`KERNEL_DEBUG_TIMESTAMPS`
+      If set to "1", enables timestamping functionality during building
+      the kernel. The default is "0" to disable this for reproducibility
+      reasons.
+
    :term:`KERNEL_DEVICETREE`
       Specifies the name of the generated Linux kernel device tree (i.e.
       the ``.dtb``) file.
@@ -6064,6 +6115,28 @@ system and gives an overview of their function and contents.
       In the previous example,
       the version of the dependency is :term:`PYTHON_PN`.
 
+   :term:`QA_EMPTY_DIRS`
+      Specifies a list of directories that are expected to be empty when
+      packaging; if ``empty-dirs`` appears in :term:`ERROR_QA` or
+      :term:`WARN_QA` these will be checked and an error or warning
+      (respectively) will be produced.
+
+      The default :term:`QA_EMPTY_DIRS` value is set in
+      :ref:`insane.bbclass <ref-classes-insane>`.
+
+   :term:`QA_EMPTY_DIRS_RECOMMENDATION`
+      Specifies a recommendation for why a directory must be empty,
+      which will be included in the error message if a specific directory
+      is found to contain files. Must be overridden with the directory
+      path to match on.
+
+      If no recommendation is specified for a directory, then the default
+      "but it is expected to be empty" will be used.
+
+      An example message shows if files were present in '/dev'::
+
+         QA_EMPTY_DIRS_RECOMMENDATION:/dev = "but all devices must be created at runtime"
+
    :term:`RANLIB`
       The minimal command and arguments to run ``ranlib``.
 
@@ -8717,4 +8790,36 @@ system and gives an overview of their function and contents.
 
       The default value of :term:`XSERVER`, if not specified in the machine
       configuration, is "xserver-xorg xf86-video-fbdev xf86-input-evdev".
-   
+
+   :term:`XZ_THREADS`
+      Specifies the number of parallel threads that should be used when
+      using xz compression.
+
+      By default this scales with core count, but is never set less than 2
+      to ensure that multi-threaded mode is always used so that the output
+      file contents are deterministic. Builds will work with a value of 1
+      but the output will differ compared to the output from the compression
+      generated when more than one thread is used.
+
+      On systems where many tasks run in parallel, setting a limit to this
+      can be helpful in controlling system resource usage.
+
+    :term:`XZ_MEMLIMIT`
+      Specifies the maximum memory the xz compression should use as a percentage
+      of system memory. If unconstrained the xz compressor can use large amounts of
+      memory and become problematic with parallelism elsewhere in the build.
+      "50%" has been found to be a good value.
+
+   :term:`ZSTD_THREADS`
+      Specifies the number of parallel threads that should be used when
+      using ZStandard compression.
+
+      By default this scales with core count, but is never set less than 2
+      to ensure that multi-threaded mode is always used so that the output
+      file contents are deterministic. Builds will work with a value of 1
+      but the output will differ compared to the output from the compression
+      generated when more than one thread is used.
+
+      On systems where many tasks run in parallel, setting a limit to this
+      can be helpful in controlling system resource usage.
+

documentation/releases.rst

@@ -11,6 +11,12 @@
  Supported Release Manuals
 ===========================
 
+******************************
+Release Series 4.0 (kirkstone)
+******************************
+
+- :yocto_docs:`4.0 Documentation </4.0>`
+
 ******************************
 Release Series 3.4 (honister)
 ******************************

documentation/set_versions.py

@@ -23,13 +23,12 @@ ourversion = None
 if len(sys.argv) == 2:
     ourversion = sys.argv[1]
 
-activereleases = ["honister", "hardknott", "dunfell"]
-#devbranch = "langdale"
-devbranch = "kirkstone"
+activereleases = ["kirkstone", "honister", "hardknott", "dunfell"]
+devbranch = "langdale"
 ltsseries = ["kirkstone", "dunfell"]
 
 release_series = collections.OrderedDict()
-#release_series["langdale"] = "4.1"
+release_series["langdale"] = "4.1"
 release_series["kirkstone"] = "4.0"
 release_series["honister"] = "3.4"
 release_series["hardknott"] = "3.3"
@@ -57,8 +56,8 @@ release_series["bernard"] = "1.0"
 release_series["laverne"] = "0.9"
 
 
-#    "langdale" : "2.2",
 bitbake_mapping = {
+    "langdale" : "2.2",
     "kirkstone" : "2.0",
     "honister" : "1.52",
     "hardknott" : "1.50",
@@ -128,7 +127,7 @@ else:
     if branch == "master":
         ourseries = devbranch
         docconfver = "dev"
-        bitbakeversion = ""
+        bitbakeversion = "dev"
     elif branch in release_series:
         ourseries = branch
         if branch in bitbake_mapping:
@@ -199,29 +198,29 @@ if os.path.exists("poky.yaml.in"):
 #  - current doc version
 # (with duplicates removed)
 
-if ourseries not in activereleases:
-    activereleases.append(ourseries)
-
 versions = []
 with open("sphinx-static/switchers.js.in", "r") as r, open("sphinx-static/switchers.js", "w") as w:
     lines = r.readlines()
     for line in lines:
+        if "ALL_RELEASES_PLACEHOLDER" in line:
+            w.write(str(list(release_series.keys())))
+            continue
         if "VERSIONS_PLACEHOLDER" in line:
             w.write("    'dev': { 'title': 'dev (%s)', 'obsolete': false,},\n" % release_series[devbranch])
-            for branch in activereleases:
+            for branch in activereleases + ([ourseries] if ourseries not in activereleases else []):
                 if branch == devbranch:
                     continue
-                versions = subprocess.run('git tag --list yocto-%s*' % (release_series[branch]), shell=True, capture_output=True, text=True).stdout.split()
-                versions = sorted([v.replace("yocto-" +  release_series[branch] + ".", "").replace("yocto-" +  release_series[branch], "0") for v in versions], key=int)
-                if not versions:
+                branch_versions = subprocess.run('git tag --list yocto-%s*' % (release_series[branch]), shell=True, capture_output=True, text=True).stdout.split()
+                branch_versions = sorted([v.replace("yocto-" +  release_series[branch] + ".", "").replace("yocto-" +  release_series[branch], "0") for v in branch_versions], key=int)
+                if not branch_versions:
                     continue
                 version = release_series[branch]
-                if versions[-1] != "0":
-                    version = version + "." + versions[-1]
+                if branch_versions[-1] != "0":
+                    version = version + "." + branch_versions[-1]
                 versions.append(version)
-                w.write("    '%s': {'title': '%s', 'obsolete': %s,},\n" % (version, version, str(branch == ourseries).lower()))
+                w.write("    '%s': {'title': '%s', 'obsolete': %s,},\n" % (version, version, str(branch not in activereleases).lower()))
             if ourversion not in versions and ourseries != devbranch:
-                w.write("    '%s': {'title': '%s', 'obsolete': true,},\n" % (ourversion, ourversion))
+                w.write("    '%s': {'title': '%s', 'obsolete': %s,},\n" % (ourversion, ourversion, str(ourseries not in activereleases).lower()))
         else:
             w.write(line)
 

documentation/sphinx-static/switchers.js.in

@@ -9,7 +9,11 @@ by https://git.yoctoproject.org/yocto-autobuilder-helper/tree/scripts/run-docs-b
 (function() {
   'use strict';
 
-  var all_versions = {
+  var all_releases =
+	ALL_RELEASES_PLACEHOLDER
+  ;
+
+  var switcher_versions = {
     VERSIONS_PLACEHOLDER
   };
 
@@ -65,7 +69,7 @@ by https://git.yoctoproject.org/yocto-autobuilder-helper/tree/scripts/run-docs-b
   function build_version_select(current_series, current_version) {
     var buf = ['<select>'];
 
-    $.each(all_versions, function(version, vers_data) {
+    $.each(switcher_versions, function(version, vers_data) {
       var series = version.substr(0, 3);
       if (series == current_series) {
         if (version == current_version)
@@ -149,14 +153,20 @@ by https://git.yoctoproject.org/yocto-autobuilder-helper/tree/scripts/run-docs-b
     var docroot = get_docroot_url()
 
     var new_versionpath = selected_version + '/';
-    if (selected_version == "dev")
-        new_versionpath = '';
 
-    // dev versions have no version prefix
-    if (current_version == "dev") {
+    // latest tag is also the default page (without version information)
+    if (docroot.endsWith(current_version + '/') == false) {
         var new_url = docroot + new_versionpath + url.replace(docroot, "");
         var fallback_url = docroot + new_versionpath;
     } else {
+	// check for named releases (e.g. dunfell) in the subpath
+        $.each(all_releases, function(idx, release) {
+		if (docroot.endsWith('/' + release + '/')) {
+			current_version = release;
+			return false;
+		}
+	});
+
         var new_url = url.replace('/' + current_version + '/', '/' + new_versionpath);
         var fallback_url = new_url.replace(url.replace(docroot, ""), "");
     }
@@ -220,10 +230,10 @@ by https://git.yoctoproject.org/yocto-autobuilder-helper/tree/scripts/run-docs-b
     $('.doctype_switcher_placeholder select').bind('change', on_doctype_switch);
 
     if (release != "dev") {
-      $.each(all_versions, function(version, vers_data) {
+      $.each(switcher_versions, function(version, vers_data) {
         var series = version.substr(0, 3);
         if (series == current_series) {
-          if (version != release) {
+          if (version != release && release.endsWith('.999') == false) {
             $('#outdated-warning').html('This document is for outdated version ' + release + ', you should select the latest release version in this series, ' + version + '.');
             $('#outdated-warning').css('padding', '.5em');
             return false;

meta-poky/conf/distro/poky.conf

@@ -1,7 +1,7 @@
 DISTRO = "poky"
 DISTRO_NAME = "Poky (Yocto Project Reference Distro)"
 #DISTRO_VERSION = "3.4+snapshot-${METADATA_REVISION}"
-DISTRO_VERSION = "4.0"
+DISTRO_VERSION = "4.0.1"
 DISTRO_CODENAME = "kirkstone"
 SDK_VENDOR = "-pokysdk"
 SDK_VERSION = "${@d.getVar('DISTRO_VERSION').replace('snapshot-${METADATA_REVISION}', 'snapshot')}"

meta-selftest/recipes-test/git-submodule-test/git-submodule-test.bb

@@ -7,3 +7,18 @@ INHIBIT_DEFAULT_DEPS = "1"
 
 SRC_URI = "gitsm://git.yoctoproject.org/git-submodule-test;branch=master"
 SRCREV = "a2885dd7d25380d23627e7544b7bbb55014b16ee"
+
+S = "${WORKDIR}/git"
+
+do_test_git_as_user() {
+    cd ${S}
+    git status
+}
+addtask test_git_as_user after do_unpack
+
+fakeroot do_test_git_as_root() {
+    cd ${S}
+    git status
+}
+do_test_git_as_root[depends] += "virtual/fakeroot-native:do_populate_sysroot"
+addtask test_git_as_root after do_unpack

meta-yocto-bsp/recipes-kernel/linux/linux-yocto_5.15.bbappend

@@ -7,17 +7,17 @@ KMACHINE:genericx86 ?= "common-pc"
 KMACHINE:genericx86-64 ?= "common-pc-64"
 KMACHINE:beaglebone-yocto ?= "beaglebone"
 
-SRCREV_machine:genericx86 ?= "7f685244afb3acd13e94968312580b63d7296705"
-SRCREV_machine:genericx86-64 ?= "7f685244afb3acd13e94968312580b63d7296705"
-SRCREV_machine:edgerouter ?= "5a8ec126c297dd9e410eb23685003f670f8f3d57"
-SRCREV_machine:beaglebone-yocto ?= "5a8ec126c297dd9e410eb23685003f670f8f3d57"
+SRCREV_machine:genericx86 ?= "ebfb1822e9f9726d8c587fc0f60cfed43fa0873e"
+SRCREV_machine:genericx86-64 ?= "ebfb1822e9f9726d8c587fc0f60cfed43fa0873e"
+SRCREV_machine:edgerouter ?= "b978686694c3e41968821d6cc2a2a371fd9c2fb0"
+SRCREV_machine:beaglebone-yocto ?= "4c875cf1376178dfab4913aa1350cab50bb093d3"
 
 COMPATIBLE_MACHINE:genericx86 = "genericx86"
 COMPATIBLE_MACHINE:genericx86-64 = "genericx86-64"
 COMPATIBLE_MACHINE:edgerouter = "edgerouter"
 COMPATIBLE_MACHINE:beaglebone-yocto = "beaglebone-yocto"
 
-LINUX_VERSION:genericx86 = "5.15.22"
-LINUX_VERSION:genericx86-64 = "5.15.22"
-LINUX_VERSION:edgerouter = "5.15.1"
-LINUX_VERSION:beaglebone-yocto = "5.15.1"
+LINUX_VERSION:genericx86 = "5.15.36"
+LINUX_VERSION:genericx86-64 = "5.15.36"
+LINUX_VERSION:edgerouter = "5.15.36"
+LINUX_VERSION:beaglebone-yocto = "5.15.36"

meta/classes/base.bbclass

@@ -115,6 +115,10 @@ def setup_hosttools_dir(dest, toolsvar, d, fatal=True):
     tools = d.getVar(toolsvar).split()
     origbbenv = d.getVar("BB_ORIGENV", False)
     path = origbbenv.getVar("PATH")
+    # Need to ignore our own scripts directories to avoid circular links
+    for p in path.split(":"):
+        if p.endswith("/scripts"):
+            path = path.replace(p, "/ignoreme")
     bb.utils.mkdirhier(dest)
     notfound = []
     for tool in tools:

meta/classes/create-spdx.bbclass

@@ -35,8 +35,6 @@ SPDX_SUPPLIER[doc] = "The SPDX PackageSupplier field for SPDX packages created f
     is the contact information for the person or organization who is doing the \
     build."
 
-do_image_complete[depends] = "virtual/kernel:do_create_spdx"
-
 def extract_licenses(filename):
     import re
 
@@ -835,16 +833,14 @@ python image_combine_spdx() {
 
     combine_spdx(d, image_name, imgdeploydir, img_spdxid, packages)
 
-    if image_link_name:
-        image_spdx_path = imgdeploydir / (image_name + ".spdx.json")
-        image_spdx_link = imgdeploydir / (image_link_name + ".spdx.json")
-        image_spdx_link.symlink_to(os.path.relpath(image_spdx_path, image_spdx_link.parent))
-
     def make_image_link(target_path, suffix):
         if image_link_name:
             link = imgdeploydir / (image_link_name + suffix)
-            link.symlink_to(os.path.relpath(target_path, link.parent))
+            if link != target_path:
+                link.symlink_to(os.path.relpath(target_path, link.parent))
 
+    image_spdx_path = imgdeploydir / (image_name + ".spdx.json")
+    make_image_link(image_spdx_path, ".spdx.json")
     spdx_tar_path = imgdeploydir / (image_name + ".spdx.tar.zst")
     make_image_link(spdx_tar_path, ".spdx.tar.zst")
     spdx_index_path = imgdeploydir / (image_name + ".spdx.index.json")

meta/classes/cve-check.bbclass

@@ -79,6 +79,30 @@ CVE_CHECK_LAYER_INCLUDELIST ??= ""
 # set to "alphabetical" for version using single alphabetical character as increment release
 CVE_VERSION_SUFFIX ??= ""
 
+def generate_json_report(out_path, link_path):
+    if os.path.exists(d.getVar("CVE_CHECK_SUMMARY_INDEX_PATH")):
+        import json
+        from oe.cve_check import cve_check_merge_jsons
+
+        bb.note("Generating JSON CVE summary")
+        index_file = d.getVar("CVE_CHECK_SUMMARY_INDEX_PATH")
+        summary = {"version":"1", "package": []}
+        with open(index_file) as f:
+            filename = f.readline()
+            while filename:
+                with open(filename.rstrip()) as j:
+                    data = json.load(j)
+                    cve_check_merge_jsons(summary, data)
+                filename = f.readline()
+
+        with open(out_path, "w") as f:
+            json.dump(summary, f, indent=2)
+
+        if link_path != out_path:
+            if os.path.exists(os.path.realpath(link_path)):
+                os.remove(link_path)
+            os.symlink(os.path.basename(out_path), link_path)
+
 python cve_save_summary_handler () {
     import shutil
     import datetime
@@ -97,10 +121,16 @@ python cve_save_summary_handler () {
 
         if cve_summary_file and os.path.exists(cve_summary_file):
             cvefile_link = os.path.join(cvelogpath, cve_summary_name)
+            # if the paths are the same don't create the link
+            if cvefile_link != cve_summary_file:
+                if os.path.exists(os.path.realpath(cvefile_link)):
+                    os.remove(cvefile_link)
+                os.symlink(os.path.basename(cve_summary_file), cvefile_link)
 
-            if os.path.exists(os.path.realpath(cvefile_link)):
-                os.remove(cvefile_link)
-            os.symlink(os.path.basename(cve_summary_file), cvefile_link)
+        json_summary_link_name = os.path.join(cvelogpath, d.getVar("CVE_CHECK_SUMMARY_FILE_NAME_JSON"))
+        json_summary_name = os.path.join(cvelogpath, "%s-%s.json" % (cve_summary_name, timestamp))
+        generate_json_report(json_summary_name, json_summary_link_name)
+        bb.plain("CVE report summary created at: %s" % json_summary_link_name)
 }
 
 addhandler cve_save_summary_handler
@@ -126,7 +156,7 @@ python do_cve_check () {
 
 }
 
-addtask cve_check before do_build after do_fetch
+addtask cve_check before do_build
 do_cve_check[depends] = "cve-update-db-native:do_fetch"
 do_cve_check[nostamp] = "1"
 
@@ -169,31 +199,19 @@ python cve_check_write_rootfs_manifest () {
 
         if manifest_name and os.path.exists(manifest_name):
             manifest_link = os.path.join(deploy_dir, "%s.cve" % link_name)
-            # If we already have another manifest, update symlinks
-            if os.path.exists(os.path.realpath(manifest_link)):
-                os.remove(manifest_link)
-            os.symlink(os.path.basename(manifest_name), manifest_link)
+            # if they are the same don't create the link
+            if manifest_link != manifest_name:
+                # If we already have another manifest, update symlinks
+                if os.path.exists(os.path.realpath(manifest_link)):
+                    os.remove(manifest_link)
+                os.symlink(os.path.basename(manifest_name), manifest_link)
             bb.plain("Image CVE report stored in: %s" % manifest_name)
 
-    if os.path.exists(d.getVar("CVE_CHECK_SUMMARY_INDEX_PATH")):
-        import json
+        link_path = os.path.join(deploy_dir, "%s.json" % link_name)
+        manifest_path = d.getVar("CVE_CHECK_MANIFEST_JSON")
         bb.note("Generating JSON CVE manifest")
-        deploy_dir = d.getVar("DEPLOY_DIR_IMAGE")
-        link_name = d.getVar("IMAGE_LINK_NAME")
-        manifest_name = d.getVar("CVE_CHECK_MANIFEST_JSON")
-        index_file = d.getVar("CVE_CHECK_SUMMARY_INDEX_PATH")
-        manifest = {"version":"1", "package": []}
-        with open(index_file) as f:
-            filename = f.readline()
-            while filename:
-                with open(filename.rstrip()) as j:
-                    data = json.load(j)
-                    cve_check_merge_jsons(manifest, data)
-                filename = f.readline()
-
-        with open(manifest_name, "w") as f:
-            json.dump(manifest, f, indent=2)
-        bb.plain("Image CVE report stored in: %s" % manifest_name)
+        generate_json_report(json_summary_name, json_summary_link_name)
+        bb.plain("Image CVE JSON report stored in: %s" % link_path)
 }
 
 ROOTFS_POSTPROCESS_COMMAND:prepend = "${@'cve_check_write_rootfs_manifest; ' if d.getVar('CVE_CHECK_CREATE_MANIFEST') == '1' else ''}"

meta/classes/devshell.bbclass

@@ -2,6 +2,8 @@ inherit terminal
 
 DEVSHELL = "${SHELL}"
 
+PATH:prepend:task-devshell = "${COREBASE}/scripts/git-intercept:"
+
 python do_devshell () {
     if d.getVarFlag("do_devshell", "manualfakeroot"):
        d.prependVar("DEVSHELL", "pseudo ")
@@ -21,6 +23,7 @@ addtask devshell after do_patch do_prepare_recipe_sysroot
 DEVSHELL_STARTDIR ?= "${S}"
 do_devshell[dirs] = "${DEVSHELL_STARTDIR}"
 do_devshell[nostamp] = "1"
+do_devshell[network] = "1"
 
 # devshell and fakeroot/pseudo need careful handling since only the final
 # command should run under fakeroot emulation, any X connection should
@@ -154,3 +157,4 @@ python do_pydevshell() {
 addtask pydevshell after do_patch
 
 do_pydevshell[nostamp] = "1"
+do_pydevshell[network] = "1"

meta/classes/go.bbclass

@@ -67,6 +67,7 @@ GO_INSTALL_FILTEROUT ?= "${GO_IMPORT}/vendor/"
 
 B = "${WORKDIR}/build"
 export GOPATH = "${B}"
+export GOENV = "off"
 export GOTMPDIR ?= "${WORKDIR}/build-tmp"
 GOTMPDIR[vardepvalue] = ""
 

meta/classes/kernel-yocto.bbclass

@@ -521,15 +521,15 @@ python do_config_analysis() {
 python do_kernel_configcheck() {
     import re, string, sys, subprocess
 
-    # if KMETA isn't set globally by a recipe using this routine, we need to
-    # set the default to 'meta'. Otherwise, kconf_check is not passed a valid
-    # meta-series for processing
-    kmeta = d.getVar("KMETA") or "meta"
-    if not os.path.exists(kmeta):
-        kmeta = subprocess.check_output(['kgit', '--meta'], cwd=d.getVar('S')).decode('utf-8').rstrip()
-
     s = d.getVar('S')
 
+    # if KMETA isn't set globally by a recipe using this routine, use kgit to
+    # locate or create the meta directory. Otherwise, kconf_check is not
+    # passed a valid meta-series for processing
+    kmeta = d.getVar("KMETA")
+    if not kmeta or not os.path.exists('{}/{}'.format(s,kmeta)):
+        kmeta = subprocess.check_output(['kgit', '--meta'], cwd=d.getVar('S')).decode('utf-8').rstrip()
+
     env = os.environ.copy()
     env['PATH'] = "%s:%s%s" % (d.getVar('PATH'), s, "/scripts/util/")
     env['LD'] = d.getVar('KERNEL_LD')

meta/classes/package.bbclass

@@ -422,7 +422,6 @@ def splitstaticdebuginfo(file, dvar, dv, d):
     # return a mapping of files:debugsources
 
     import stat
-    import shutil
 
     src = file[len(dvar):]
     dest = dv["staticlibdir"] + os.path.dirname(src) + dv["staticdir"] + "/" + os.path.basename(src) + dv["staticappend"]
@@ -663,7 +662,10 @@ def runtime_mapping_rename (varname, pkg, d):
 # Used by do_packagedata (and possibly other routines post do_package)
 #
 
+PRSERV_ACTIVE = "${@bool(d.getVar("PRSERV_HOST"))}"
+PRSERV_ACTIVE[vardepvalue] = "${PRSERV_ACTIVE}"
 package_get_auto_pr[vardepsexclude] = "BB_TASKDEPDATA"
+package_get_auto_pr[vardeps] += "PRSERV_ACTIVE"
 python package_get_auto_pr() {
     import oe.prservice
 
@@ -807,15 +809,10 @@ python perform_packagecopy () {
     dest = d.getVar('D')
     dvar = d.getVar('PKGD')
 
-    # Remove ${D}/sysroot-only if present
-    sysroot_only = os.path.join(dest, 'sysroot-only')
-    if cpath.exists(sysroot_only) and cpath.isdir(sysroot_only):
-        shutil.rmtree(sysroot_only)
-
     # Start by package population by taking a copy of the installed
     # files to operate on
     # Preserve sparse files and hard links
-    cmd = 'tar -cf - -C %s -p -S . | tar -xf - -C %s' % (dest, dvar)
+    cmd = 'tar --exclude=./sysroot-only -cf - -C %s -p -S . | tar -xf - -C %s' % (dest, dvar)
     subprocess.check_output(cmd, shell=True, stderr=subprocess.STDOUT)
 
     # replace RPATHs for the nativesdk binaries, to make them relocatable

meta/classes/qemu.bbclass

@@ -64,4 +64,8 @@ QEMU_EXTRAOPTIONS_ppc64e5500 = " -cpu e500mc"
 QEMU_EXTRAOPTIONS_ppce6500 = " -cpu e500mc"
 QEMU_EXTRAOPTIONS_ppc64e6500 = " -cpu e500mc"
 QEMU_EXTRAOPTIONS_ppc7400 = " -cpu 7400"
-QEMU_EXTRAOPTIONS:powerpc64le = " -cpu POWER8"
+QEMU_EXTRAOPTIONS_powerpc64le = " -cpu POWER9"
+# Some packages e.g. fwupd sets PACKAGE_ARCH = MACHINE_ARCH and uses meson which
+# needs right options to usermode qemu
+QEMU_EXTRAOPTIONS_qemuppc = " -cpu 7400"
+QEMU_EXTRAOPTIONS_qemuppc64 = " -cpu POWER9"

meta/classes/rootfs-postcommands.bbclass

@@ -267,9 +267,10 @@ python write_image_manifest () {
 
     if os.path.exists(manifest_name) and link_name:
         manifest_link = deploy_dir + "/" + link_name + ".manifest"
-        if os.path.lexists(manifest_link):
-            os.remove(manifest_link)
-        os.symlink(os.path.basename(manifest_name), manifest_link)
+        if manifest_link != manifest_name:
+            if os.path.lexists(manifest_link):
+                os.remove(manifest_link)
+            os.symlink(os.path.basename(manifest_name), manifest_link)
 }
 
 # Can be used to create /etc/timestamp during image construction to give a reasonably
@@ -339,9 +340,10 @@ python write_image_test_data() {
 
     if os.path.exists(testdata_name) and link_name:
         testdata_link = os.path.join(deploy_dir, "%s.testdata.json" % link_name)
-        if os.path.lexists(testdata_link):
-            os.remove(testdata_link)
-        os.symlink(os.path.basename(testdata_name), testdata_link)
+        if testdata_link != testdata_name:
+            if os.path.lexists(testdata_link):
+                os.remove(testdata_link)
+            os.symlink(os.path.basename(testdata_name), testdata_link)
 }
 write_image_test_data[vardepsexclude] += "TOPDIR"
 

meta/classes/sanity.bbclass

@@ -470,7 +470,7 @@ def check_make_version(sanity_data):
 
     if bb.utils.vercmp_string_op(version, "4.2.1", "=="):
         distro = oe.lsb.distro_identifier()
-        if "ubuntu" in distro:
+        if "ubuntu" in distro or "debian" in distro:
             return None
         return "make version 4.2.1 is known to have issues on Centos/OpenSUSE and other non-Ubuntu systems. Please use a buildtools-make-tarball or a newer version of make.\n"
     return None

meta/classes/sign_package_feed.bbclass

@@ -27,6 +27,7 @@ inherit sanity
 PACKAGE_FEED_SIGN = '1'
 PACKAGE_FEED_GPG_BACKEND ?= 'local'
 PACKAGE_FEED_GPG_SIGNATURE_TYPE ?= 'ASC'
+PACKAGEINDEXDEPS += "gnupg-native:do_populate_sysroot"
 
 # Make feed signing key to be present in rootfs
 FEATURE_PACKAGES_package-management:append = " signing-keys-packagefeed"

meta/classes/sstate.bbclass

@@ -1,4 +1,4 @@
-SSTATE_VERSION = "8"
+SSTATE_VERSION = "10"
 
 SSTATE_ZSTD_CLEVEL ??= "8"
 

meta/classes/staging.bbclass

@@ -651,7 +651,7 @@ python target_add_sysroot_deps () {
     taskdepdata = d.getVar("BB_TASKDEPDATA", False)
     deps = {}
     for dep in taskdepdata.values():
-        if dep[1] == "do_populate_sysroot" and not dep[0].endswith(("-native", "-initial")) and "-cross-" not in dep[0]:
+        if dep[1] == "do_populate_sysroot" and not dep[0].endswith(("-native", "-initial")) and "-cross-" not in dep[0] and dep[0] != pn:
             deps[dep[0]] = dep[6]
 
     d.setVar("HASHEQUIV_EXTRA_SIGDATA", "\n".join("%s: %s" % (k, deps[k]) for k in sorted(deps.keys())))

meta/conf/abi_version.conf

@@ -12,4 +12,4 @@ OELAYOUT_ABI = "15"
 # a reset of the equivalence, for example when reproducibility issues break the
 # existing match data. Distros can also append to this value for the same effect.
 #
-HASHEQUIV_HASH_VERSION  = "12"
+HASHEQUIV_HASH_VERSION  = "14"

meta/conf/distro/include/tclibc-glibc.inc

@@ -13,6 +13,7 @@ PREFERRED_PROVIDER_virtual/libintl ?= "glibc"
 PREFERRED_PROVIDER_virtual/libc ?= "glibc"
 PREFERRED_PROVIDER_virtual/nativesdk-libc ?= "nativesdk-glibc"
 PREFERRED_PROVIDER_virtual/libc-locale ?= "glibc-locale"
+PREFERRED_PROVIDER_virtual/crypt ?= "libxcrypt"
 
 CXXFLAGS += "-fvisibility-inlines-hidden"
 

meta/conf/machine/include/arm/arch-armv8-2a.inc

@@ -1,6 +1,6 @@
 DEFAULTTUNE ?= "armv8-2a"
 
-TUNEVALID[armv8-2a] = "Enable instructions for ARMv8-a"
+TUNEVALID[armv8-2a] = "Enable instructions for ARMv8.2-a"
 TUNE_CCARGS_MARCH .= "${@bb.utils.contains('TUNE_FEATURES', 'armv8-2a', ' -march=armv8.2-a', '', d)}"
 # TUNE crypto will be handled by arch-armv8a.inc below
 MACHINEOVERRIDES =. "${@bb.utils.contains('TUNE_FEATURES', 'armv8-2a', 'armv8-2a:', '', d)}"

meta/conf/machine/include/powerpc/tune-ppc603e.inc

@@ -9,6 +9,3 @@ AVAILTUNES += "ppc603e"
 TUNE_FEATURES:tune-ppc603e = "m32 fpu-hard ppc603e bigendian"
 TUNE_PKGARCH:tune-ppc603e = "ppc603e"
 PACKAGE_EXTRA_ARCHS:tune-ppc603e = "${PACKAGE_EXTRA_ARCHS:tune-powerpc} ppc603e"
-
-# glibc configure options to get 603e specific library (for sqrt)
-GLIBC_EXTRA_OECONF += "${@bb.utils.contains('TUNE_FEATURES', 'ppc603e', '-with-cpu=603e', '', d)}"

meta/conf/machine/include/powerpc/tune-ppc7400.inc

@@ -9,6 +9,3 @@ AVAILTUNES += "ppc7400"
 TUNE_FEATURES:tune-ppc7400 = "m32 fpu-hard ppc7400 altivec bigendian"
 TUNE_PKGARCH:tune-ppc7400 = "ppc7400"
 PACKAGE_EXTRA_ARCHS:tune-ppc7400 = "${PACKAGE_EXTRA_ARCHS:tune-powerpc} ppc7400"
-
-# glibc configure options to get 7400 specific library (for sqrt)
-#GLIBC_EXTRA_OECONF += "${@bb.utils.contains('TUNE_FEATURES', 'ppc7400', '--with-cpu=power4', '', d)}"

meta/conf/machine/include/powerpc/tune-ppce300c3.inc

@@ -11,9 +11,6 @@ TUNE_PKGARCH:tune-ppce300c3 = "ppce300c3"
 PACKAGE_EXTRA_ARCHS:tune-ppce300c3 = "${PACKAGE_EXTRA_ARCHS:tune-powerpc} ppce300c3"
 TUNE_CCARGS .= "${@bb.utils.contains('TUNE_FEATURES', 'ppce300c3', ' -mcpu=e300c3', '', d)}"
 
-# glibc config options to make use of e300c3 (603e) specific sqrt/sqrtf routines
-GLIBC_EXTRA_OECONF += "${@bb.utils.contains('TUNE_FEATURES', 'ppce300c3', '--with-cpu=e300c3', '', d)}"
-
 # soft-float
 TUNEVALID[ppce300c3-nf] = "Enable ppce300c3 specific processor optimizations (no fpu)"
 TUNE_FEATURES:tune-ppce300c3-nf = "${TUNE_FEATURES:tune-powerpc-nf} ppce300c3-nf"

meta/conf/machine/include/powerpc/tune-ppce500mc.inc

@@ -10,8 +10,5 @@ TUNE_FEATURES:tune-ppce500mc = "m32 fpu-hard ppce500mc bigendian"
 TUNE_PKGARCH:tune-ppce500mc = "ppce500mc"
 PACKAGE_EXTRA_ARCHS:tune-ppce500mc = "${PACKAGE_EXTRA_ARCHS:tune-powerpc} ppce500mc"
 
-# glibc configure options to get e500mc specific library (for sqrt)
-GLIBC_EXTRA_OECONF += "${@bb.utils.contains('TUNE_FEATURES', 'ppce500mc', '-with-cpu=e500mc', '', d)}"
-
 # pass -mcpu=e500mc for ppce500mc kernel cross compile
 TARGET_CC_KERNEL_ARCH = "-mcpu=e500mc"

meta/conf/machine/include/powerpc/tune-ppce5500.inc

@@ -16,8 +16,5 @@ BASE_LIB:tune-ppc64e5500 = "lib64"
 TUNE_PKGARCH:tune-ppc64e5500 = "ppc64e5500"
 PACKAGE_EXTRA_ARCHS:tune-ppc64e5500 = "${PACKAGE_EXTRA_ARCHS:tune-powerpc64} ppc64e5500"
 
-# glibc configure options to get e5500 specific library (for sqrt)
-GLIBC_EXTRA_OECONF += "${@bb.utils.contains('TUNE_FEATURES', 'e5500', '--with-cpu=e5500', '', d)}"
-
 # QEMU usermode fails with invalid instruction error (YOCTO: #10304)
 MACHINE_FEATURES_BACKFILL_CONSIDERED:append = "${@bb.utils.contains('TUNE_FEATURES', 'e5500', ' qemu-usermode', '', d)}"

meta/conf/machine/include/powerpc/tune-ppce6500.inc

@@ -16,9 +16,5 @@ BASE_LIB:tune-ppc64e6500 = "lib64"
 TUNE_PKGARCH:tune-ppc64e6500 = "ppc64e6500"
 PACKAGE_EXTRA_ARCHS:tune-ppc64e6500 = "${PACKAGE_EXTRA_ARCHS:tune-powerpc64} ppc64e6500"
 
-# glibc configure options to get e6500 specific library
-GLIBC_EXTRA_OECONF:powerpc64 += "${@bb.utils.contains('TUNE_FEATURES', 'e6500', '--with-cpu=e6500', '', d)}"
-GLIBC_EXTRA_OECONF:powerpc += "${@bb.utils.contains('TUNE_FEATURES', 'e6500', '--with-cpu=e6500', '', d)}"
-
 # QEMU usermode fails with invalid instruction error (YOCTO: #10304)
 MACHINE_FEATURES_BACKFILL_CONSIDERED:append = "${@bb.utils.contains('TUNE_FEATURES', 'e6500', ' qemu-usermode', '', d)}"

meta/conf/machine/qemuarm64.conf

@@ -23,9 +23,9 @@ QB_GRAPHICS = "-device virtio-gpu-pci"
 QB_OPT_APPEND = "-device qemu-xhci -device usb-tablet -device usb-kbd"
 # Virtio Networking support
 QB_TAP_OPT = "-netdev tap,id=net0,ifname=@TAP@,script=no,downscript=no"
-QB_NETWORK_DEVICE = "-device virtio-net-device,netdev=net0,mac=@MAC@"
+QB_NETWORK_DEVICE = "-device virtio-net-pci,netdev=net0,mac=@MAC@"
 # Virtio block device
-QB_ROOTFS_OPT = "-drive id=disk0,file=@ROOTFS@,if=none,format=raw -device virtio-blk-device,drive=disk0"
+QB_ROOTFS_OPT = "-drive id=disk0,file=@ROOTFS@,if=none,format=raw -device virtio-blk-pci,drive=disk0"
 # Virtio serial console
-QB_SERIAL_OPT = "-device virtio-serial-device -chardev null,id=virtcon -device virtconsole,chardev=virtcon"
-QB_TCPSERIAL_OPT = "-device virtio-serial-device -chardev socket,id=virtcon,port=@PORT@,host=127.0.0.1 -device virtconsole,chardev=virtcon"
+QB_SERIAL_OPT = "-device virtio-serial-pci -chardev null,id=virtcon -device virtconsole,chardev=virtcon"
+QB_TCPSERIAL_OPT = "-device virtio-serial-pci -chardev socket,id=virtcon,port=@PORT@,host=127.0.0.1 -device virtconsole,chardev=virtcon"

meta/conf/machine/qemuarmv5.conf

@@ -15,7 +15,7 @@ QB_MACHINE = "-machine versatilepb"
 QB_KERNEL_CMDLINE_APPEND = "vmalloc=256"
 QB_GRAPHICS = "-device virtio-gpu-pci"
 QB_OPT_APPEND = "-device qemu-xhci -device usb-tablet -device usb-kbd"
-PREFERRED_VERSION_linux-yocto ??= "5.15%"
 QB_DTB = "${@oe.utils.version_less_or_equal('PREFERRED_VERSION_linux-yocto', '4.7', '', 'zImage-versatile-pb.dtb', d)}"
 
-KMACHINE:qemuarmv5 = "qemuarm"
+PREFERRED_VERSION_linux-yocto ??= "5.15%"
+KMACHINE:qemuarmv5 = "arm-versatile-926ejs"

meta/lib/oe/cve_check.py

@@ -89,9 +89,10 @@ def get_patched_cves(d):
     for url in oe.patch.src_patches(d):
         patch_file = bb.fetch.decodeurl(url)[2]
 
+        # Remote compressed patches may not be unpacked, so silently ignore them
         if not os.path.isfile(patch_file):
-            bb.error("File Not found: %s" % patch_file)
-            raise FileNotFoundError
+            bb.warn("%s does not exist, cannot extract CVE list" % patch_file)
+            continue
 
         # Check patch file name for CVE ID
         fname_match = cve_file_name_match.search(patch_file)

meta/lib/oe/sstatesig.py

@@ -382,13 +382,13 @@ def find_siginfo(pn, taskname, taskhashlist, d):
             localdata.setVar('PV', '*')
             localdata.setVar('PR', '*')
             localdata.setVar('BB_TASKHASH', hashval)
+            localdata.setVar('SSTATE_CURRTASK', taskname[3:])
             swspec = localdata.getVar('SSTATE_SWSPEC')
             if taskname in ['do_fetch', 'do_unpack', 'do_patch', 'do_populate_lic', 'do_preconfigure'] and swspec:
                 localdata.setVar('SSTATE_PKGSPEC', '${SSTATE_SWSPEC}')
             elif pn.endswith('-native') or "-cross-" in pn or "-crosssdk-" in pn:
                 localdata.setVar('SSTATE_EXTRAPATH', "${NATIVELSBSTRING}/")
-            sstatename = taskname[3:]
-            filespec = '%s_%s.*.siginfo' % (localdata.getVar('SSTATE_PKG'), sstatename)
+            filespec = '%s.siginfo' % localdata.getVar('SSTATE_PKG')
 
             matchedfiles = glob.glob(filespec)
             for fullpath in matchedfiles:

meta/lib/oe/terminal.py

@@ -30,9 +30,10 @@ class Registry(oe.classutils.ClassRegistry):
 
 class Terminal(Popen, metaclass=Registry):
     def __init__(self, sh_cmd, title=None, env=None, d=None):
+        from subprocess import STDOUT
         fmt_sh_cmd = self.format_command(sh_cmd, title)
         try:
-            Popen.__init__(self, fmt_sh_cmd, env=env)
+            Popen.__init__(self, fmt_sh_cmd, env=env, stderr=STDOUT)
         except OSError as exc:
             import errno
             if exc.errno == errno.ENOENT:

meta/lib/oeqa/runtime/cases/apt.py

@@ -21,7 +21,7 @@ class AptRepoTest(AptTest):
 
     @classmethod
     def setUpClass(cls):
-        service_repo = os.path.join(cls.tc.td['DEPLOY_DIR_DEB'], 'all')
+        service_repo = os.path.join(cls.tc.td['DEPLOY_DIR_DEB'], '')
         cls.repo_server = HTTPService(service_repo,
                                       '0.0.0.0', port=cls.tc.target.server_port,
                                       logger=cls.tc.logger)
@@ -34,20 +34,44 @@ class AptRepoTest(AptTest):
     def setup_source_config_for_package_install(self):
         apt_get_source_server = 'http://%s:%s/' % (self.tc.target.server_ip, self.repo_server.port)
         apt_get_sourceslist_dir = '/etc/apt/'
-        self.target.run('cd %s; echo deb [ allow-insecure=yes ] %s ./ > sources.list' % (apt_get_sourceslist_dir, apt_get_source_server))
+        self.target.run('cd %s; echo deb [ allow-insecure=yes ] %s/all ./ > sources.list' % (apt_get_sourceslist_dir, apt_get_source_server))
+
+    def setup_source_config_for_package_install_signed(self):
+        apt_get_source_server = 'http:\/\/%s:%s' % (self.tc.target.server_ip, self.repo_server.port)
+        apt_get_sourceslist_dir = '/etc/apt/'
+        self.target.run("cd %s; cp sources.list sources.list.bak; sed -i 's/\[trusted=yes\] http:\/\/bogus_ip:bogus_port/%s/g' sources.list" % (apt_get_sourceslist_dir, apt_get_source_server))
 
     def cleanup_source_config_for_package_install(self):
         apt_get_sourceslist_dir = '/etc/apt/'
         self.target.run('cd %s; rm sources.list' % (apt_get_sourceslist_dir))
 
+    def cleanup_source_config_for_package_install_signed(self):
+        apt_get_sourceslist_dir = '/etc/apt/'
+        self.target.run('cd %s; mv sources.list.bak sources.list' % (apt_get_sourceslist_dir))
+
+    def setup_key(self):
+        # the key is found on the target /etc/pki/packagefeed-gpg/
+        # named PACKAGEFEED-GPG-KEY-poky-branch
+        self.target.run('cd %s; apt-key add P*' % ('/etc/pki/packagefeed-gpg'))
+
     @skipIfNotFeature('package-management',
                       'Test requires package-management to be in IMAGE_FEATURES')
     @skipIfNotDataVar('IMAGE_PKGTYPE', 'deb',
                       'DEB is not the primary package manager')
     @OEHasPackage(['apt'])
     def test_apt_install_from_repo(self):
-        self.setup_source_config_for_package_install()
-        self.pkg('update')
-        self.pkg('remove --yes run-postinsts-dev')
-        self.pkg('install --yes --allow-unauthenticated run-postinsts-dev')
-        self.cleanup_source_config_for_package_install()
+        if not self.tc.td.get('PACKAGE_FEED_GPG_NAME'):
+            self.setup_source_config_for_package_install()
+            self.pkg('update')
+            self.pkg('remove --yes run-postinsts-dev')
+            self.pkg('install --yes --allow-unauthenticated run-postinsts-dev')
+            self.cleanup_source_config_for_package_install()
+        else:
+            # when we are here a key has been set to sign the package feed and
+            # public key and gnupg installed on the image by test_testimage_apt
+            self.setup_source_config_for_package_install_signed()
+            self.setup_key()
+            self.pkg('update')
+            self.pkg('install --yes run-postinsts-dev')
+            self.pkg('remove --yes run-postinsts-dev')
+            self.cleanup_source_config_for_package_install_signed()

meta/lib/oeqa/sdk/cases/buildepoxy.py

@@ -17,7 +17,7 @@ class EpoxyTest(OESDKTestCase):
     """
     def setUp(self):
         if not (self.tc.hasHostPackage("nativesdk-meson")):
-            raise unittest.SkipTest("GalculatorTest class: SDK doesn't contain Meson")
+            raise unittest.SkipTest("EpoxyTest class: SDK doesn't contain Meson")
 
     def test_epoxy(self):
         with tempfile.TemporaryDirectory(prefix="epoxy", dir=self.tc.sdk_dir) as testdir:

meta/lib/oeqa/selftest/cases/git.py

@@ -0,0 +1,15 @@
+from oeqa.selftest.case import OESelftestTestCase
+from oeqa.utils.commands import bitbake
+
+class GitCheck(OESelftestTestCase):
+    def test_git_intercept(self):
+        """
+        Git binaries with CVE-2022-24765 fixed will refuse to operate on a
+        repository which is owned by a different user. This breaks our
+        do_install task as that runs inside pseudo, so the git repository is
+        owned by the build user but git is running as (fake)root.
+
+        We have an intercept which disables pseudo, so verify that it works.
+        """
+        bitbake("git-submodule-test -c test_git_as_user")
+        bitbake("git-submodule-test -c test_git_as_root")

meta/lib/oeqa/selftest/cases/lic_checksum.py

@@ -4,12 +4,30 @@
 
 import os
 import tempfile
+import urllib
 
 from oeqa.selftest.case import OESelftestTestCase
 from oeqa.utils.commands import bitbake
 
 class LicenseTests(OESelftestTestCase):
 
+    def test_checksum_with_space(self):
+        bitbake_cmd = '-c populate_lic emptytest'
+
+        lic_file, lic_path = tempfile.mkstemp(" -afterspace")
+        os.close(lic_file)
+        #self.track_for_cleanup(lic_path)
+
+        self.write_config("INHERIT:remove = \"report-error\"")
+
+        self.write_recipeinc('emptytest', """
+INHIBIT_DEFAULT_DEPS = "1"
+LIC_FILES_CHKSUM = "file://%s;md5=d41d8cd98f00b204e9800998ecf8427e"
+SRC_URI = "file://%s;md5=d41d8cd98f00b204e9800998ecf8427e"
+""" % (urllib.parse.quote(lic_path), urllib.parse.quote(lic_path)))
+        result = bitbake(bitbake_cmd)
+
+
     # Verify that changing a license file that has an absolute path causes
     # the license qa to fail due to a mismatched md5sum.
     def test_nonmatching_checksum(self):

meta/lib/oeqa/selftest/cases/runtime_test.py

@@ -162,6 +162,44 @@ class TestImage(OESelftestTestCase):
         bitbake('core-image-full-cmdline socat')
         bitbake('-c testimage core-image-full-cmdline')
 
+    def test_testimage_apt(self):
+        """
+        Summary: Check package feeds functionality for apt
+        Expected: 1. Check that remote package feeds can be accessed
+        Product: oe-core
+        Author: Ferry Toth <fntoth@gmail.com>
+        """
+        if get_bb_var('DISTRO') == 'poky-tiny':
+            self.skipTest('core-image-full-cmdline not buildable for poky-tiny')
+
+        features = 'INHERIT += "testimage"\n'
+        features += 'TEST_SUITES = "ping ssh apt.AptRepoTest.test_apt_install_from_repo"\n'
+        # We don't yet know what the server ip and port will be - they will be patched
+        # in at the start of the on-image test
+        features += 'PACKAGE_FEED_URIS = "http://bogus_ip:bogus_port"\n'
+        features += 'EXTRA_IMAGE_FEATURES += "package-management"\n'
+        features += 'PACKAGE_CLASSES = "package_deb"\n'
+        # We need  gnupg on the target to install keys
+        features += 'IMAGE_INSTALL:append:pn-core-image-full-cmdline = " gnupg"\n'
+
+        bitbake('gnupg-native -c addto_recipe_sysroot')
+
+        # Enable package feed signing
+        self.gpg_home = tempfile.mkdtemp(prefix="oeqa-feed-sign-")
+        self.track_for_cleanup(self.gpg_home)
+        signing_key_dir = os.path.join(self.testlayer_path, 'files', 'signing')
+        runCmd('gpgconf --list-dirs --homedir %s; gpg -v --batch --homedir %s --import %s' % (self.gpg_home, self.gpg_home, os.path.join(signing_key_dir, 'key.secret')), native_sysroot=get_bb_var("RECIPE_SYSROOT_NATIVE", "gnupg-native"), shell=True)
+        features += 'INHERIT += "sign_package_feed"\n'
+        features += 'PACKAGE_FEED_GPG_NAME = "testuser"\n'
+        features += 'PACKAGE_FEED_GPG_PASSPHRASE_FILE = "%s"\n' % os.path.join(signing_key_dir, 'key.passphrase')
+        features += 'GPG_PATH = "%s"\n' % self.gpg_home
+        features += 'PSEUDO_IGNORE_PATHS .= ",%s"\n' % self.gpg_home
+        self.write_config(features)
+
+        # Build core-image-sato and testimage
+        bitbake('core-image-full-cmdline socat')
+        bitbake('-c testimage core-image-full-cmdline')
+
     def test_testimage_virgl_gtk_sdl(self):
         """
         Summary: Check host-assisted accelerate OpenGL functionality in qemu with gtk and SDL frontends
@@ -214,7 +252,7 @@ class TestImage(OESelftestTestCase):
         import subprocess, os
 
         distro = oe.lsb.distro_identifier()
-        if distro and distro in ['debian-9', 'debian-10', 'centos-7', 'centos-8', 'ubuntu-16.04', 'ubuntu-18.04', 'almalinux-8.5']:
+        if distro and distro in ['debian-9', 'debian-10', 'centos-7', 'centos-8', 'ubuntu-16.04', 'ubuntu-18.04', 'almalinux-8.5', 'almalinux-8.6']:
             self.skipTest('virgl headless cannot be tested with %s' %(distro))
 
         render_hint = """If /dev/dri/renderD* is absent due to lack of suitable GPU, 'modprobe vgem' will create one suitable for mesa llvmpipe software renderer."""

meta/recipes-bsp/u-boot/u-boot-common.inc

@@ -14,9 +14,11 @@ PE = "1"
 # repo during parse
 SRCREV = "d637294e264adfeb29f390dfc393106fd4d41b17"
 
-SRC_URI = "git://git.denx.de/u-boot.git;branch=master \
-          "
+SRC_URI = "git://source.denx.de/u-boot/u-boot.git;protocol=https;branch=master"
 
 S = "${WORKDIR}/git"
 B = "${WORKDIR}/build"
+
+inherit pkgconfig
+
 do_configure[cleandirs] = "${B}"

meta/recipes-connectivity/neard/neard_0.16.bb

@@ -2,21 +2,22 @@ SUMMARY = "Linux NFC daemon"
 DESCRIPTION = "A daemon for the Linux Near Field Communication stack"
 HOMEPAGE = "http://01.org/linux-nfc"
 LICENSE = "GPL-2.0-only"
+LIC_FILES_CHKSUM = "file://COPYING;md5=12f884d2ae1ff87c09e5b7ccc2c4ca7e \
+                    file://src/near.h;beginline=1;endline=20;md5=358e4deefef251a4761e1ffacc965d13 \
+                   "
 
 DEPENDS = "dbus glib-2.0 libnl"
 
-SRC_URI = "${KERNELORG_MIRROR}/linux/network/nfc/${BP}.tar.xz \
+SRC_URI = "git://git.kernel.org/pub/scm/network/nfc/neard.git;protocol=git;branch=master \
            file://neard.in \
            file://Makefile.am-fix-parallel-issue.patch \
            file://Makefile.am-do-not-ship-version.h.patch \
            file://0001-Add-header-dependency-to-nciattach.o.patch \
           "
-SRC_URI[md5sum] = "5c691fb7872856dc0d909c298bc8cb41"
-SRC_URI[sha256sum] = "eae3b11c541a988ec11ca94b7deab01080cd5b58cfef3ced6ceac9b6e6e65b36"
 
-LIC_FILES_CHKSUM = "file://COPYING;md5=12f884d2ae1ff87c09e5b7ccc2c4ca7e \
- file://src/near.h;beginline=1;endline=20;md5=358e4deefef251a4761e1ffacc965d13 \
- "
+SRCREV = "949795024f7625420e93e288c56e194cb9a3e74a"
+
+S = "${WORKDIR}/git"
 
 inherit autotools pkgconfig systemd update-rc.d
 

meta/recipes-connectivity/openssl/openssl_3.0.3.bb

@@ -18,7 +18,7 @@ SRC_URI:append:class-nativesdk = " \
            file://environment.d-openssl.sh \
            "
 
-SRC_URI[sha256sum] = "98e91ccead4d4756ae3c9cde5e09191a8e586d9f4d50838e7ec09d6411dfdb63"
+SRC_URI[sha256sum] = "ee0078adcef1de5f003c62c80cc96527721609c6f3bb42b7795df31f8b558c0b"
 
 inherit lib_package multilib_header multilib_script ptest perlnative
 MULTILIB_SCRIPTS = "${PN}-bin:${bindir}/c_rehash"
@@ -224,7 +224,7 @@ do_install_ptest () {
 # file to be installed for both the openssl-bin package and the libcrypto
 # package since the openssl-bin package depends on the libcrypto package.
 
-PACKAGES =+ "libcrypto libssl openssl-conf ${PN}-engines ${PN}-misc"
+PACKAGES =+ "libcrypto libssl openssl-conf ${PN}-engines ${PN}-misc ${PN}-ossl-module-legacy"
 
 FILES:libcrypto = "${libdir}/libcrypto${SOLIBS}"
 FILES:libssl = "${libdir}/libssl${SOLIBS}"
@@ -235,12 +235,13 @@ FILES:${PN}-engines = "${libdir}/engines-3"
 # ${prefix} comes from what we pass into --prefix at configure time (which is used for INSTALLTOP)
 FILES:${PN}-engines:append:mingw32:class-nativesdk = " ${prefix}${libdir}/engines-3"
 FILES:${PN}-misc = "${libdir}/ssl-3/misc ${bindir}/c_rehash"
+FILES:${PN}-ossl-module-legacy = "${libdir}/ossl-modules/legacy.so"
 FILES:${PN} =+ "${libdir}/ssl-3/* ${libdir}/ossl-modules/"
 FILES:${PN}:append:class-nativesdk = " ${SDKPATHNATIVE}/environment-setup.d/openssl.sh"
 
 CONFFILES:openssl-conf = "${sysconfdir}/ssl/openssl.cnf"
 
-RRECOMMENDS:libcrypto += "openssl-conf"
+RRECOMMENDS:libcrypto += "openssl-conf ${PN}-ossl-module-legacy"
 RDEPENDS:${PN}-misc = "perl"
 RDEPENDS:${PN}-ptest += "openssl-bin perl perl-modules bash sed"
 

meta/recipes-core/busybox/busybox.inc

@@ -347,7 +347,7 @@ do_install_ptest () {
         # These access the internet which is not guaranteed to work on machines running the tests
         rm -rf ${D}${PTEST_PATH}/testsuite/wget
 	sort ${B}/.config > ${D}${PTEST_PATH}/.config
-	ln -s /bin/busybox   ${D}${PTEST_PATH}/busybox
+	ln -s ${base_bindir}/busybox   ${D}${PTEST_PATH}/busybox
 }
 
 inherit update-alternatives

meta/recipes-core/glib-2.0/glib-2.0/0001-tests-Add-C-tests-for-typechecking-with-atomic-compa.patch

@@ -1,64 +0,0 @@
-From 44b4bcd56d7ac2bd8ebf00e9fa433ad897d68216 Mon Sep 17 00:00:00 2001
-From: Philip Withnall <pwithnall@endlessos.org>
-Date: Fri, 1 Apr 2022 13:44:45 +0100
-Subject: [PATCH 1/2] tests: Add C++ tests for typechecking with atomic compare
- and exchanges
-
-Signed-off-by: Philip Withnall <pwithnall@endlessos.org>
-
-Helps: #2625
-Upstream-Status: Submitted [https://gitlab.gnome.org/GNOME/glib/-/merge_requests/2578]
-Signed-off-by: Khem Raj <raj.khem@gmail.com>
----
- glib/tests/cxx.cpp | 28 ++++++++++++++++++++++++++++
- 1 file changed, 28 insertions(+)
-
-diff --git a/glib/tests/cxx.cpp b/glib/tests/cxx.cpp
-index be0a6bfa1..7d7f27c91 100644
---- a/glib/tests/cxx.cpp
-+++ b/glib/tests/cxx.cpp
-@@ -53,6 +53,32 @@ test_typeof (void)
- #endif
- }
- 
-+static void
-+test_atomic_pointer_compare_and_exchange (void)
-+{
-+  const gchar *str1 = "str1";
-+  const gchar *str2 = "str2";
-+  const gchar *atomic_string = str1;
-+
-+  g_test_message ("Test that g_atomic_pointer_compare_and_exchange() with a "
-+                  "non-void* pointer doesn’t have any compiler warnings in C++ mode");
-+
-+  g_assert_true (g_atomic_pointer_compare_and_exchange (&atomic_string, str1, str2));
-+  g_assert_true (atomic_string == str2);
-+}
-+
-+static void
-+test_atomic_int_compare_and_exchange (void)
-+{
-+  gint atomic_int = 5;
-+
-+  g_test_message ("Test that g_atomic_int_compare_and_exchange() doesn’t have "
-+                  "any compiler warnings in C++ mode");
-+
-+  g_assert_true (g_atomic_int_compare_and_exchange (&atomic_int, 5, 50));
-+  g_assert_cmpint (atomic_int, ==, 50);
-+}
-+
- int
- main (int argc, char *argv[])
- {
-@@ -63,6 +89,8 @@ main (int argc, char *argv[])
- #endif
- 
-   g_test_add_func ("/C++/typeof", test_typeof);
-+  g_test_add_func ("/C++/atomic-pointer-compare-and-exchange", test_atomic_pointer_compare_and_exchange);
-+  g_test_add_func ("/C++/atomic-int-compare-and-exchange", test_atomic_int_compare_and_exchange);
- 
-   return g_test_run ();
- }
--- 
-2.35.1
-

meta/recipes-core/glib-2.0/glib-2.0/0002-gatomic-Add-a-C-variant-of-g_atomic_int_compare_and_.patch

@@ -1,70 +0,0 @@
-From 2668390454bc0efe52a262eb2faa4a2bd5a062e2 Mon Sep 17 00:00:00 2001
-From: Philip Withnall <pwithnall@endlessos.org>
-Date: Fri, 1 Apr 2022 13:47:19 +0100
-Subject: [PATCH 2/2] gatomic: Add a C++ variant of
- g_atomic_int_compare_and_exchange()
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-The C++ variant implements type safety differently, to avoid warnings
-from C++ compilers about:
-```
-../../../gnome-commander-1.14.2/src/intviewer/searcher.cc:303:5: error: cannot initialize a parameter of type 'gint *' (aka 'int *') with an rvalue of type 'void *'
-    g_atomic_int_compare_and_exchange ((gint*)&src->priv->progress_value, oldval, (gint)d);
-    ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-/mnt/b/yoe/master/build/tmp/work/cortexa72-yoe-linux/gnome-commander/1.14.2-r0/recipe-sysroot/usr/include/glib-2.0/glib/gatomic.h:160:44: note: expanded from macro 'g_atomic_int_compare_and_exchange'
-    __atomic_compare_exchange_n ((atomic), (void *) (&(gaicae_oldval)), (newval), FALSE, __ATOMIC_SEQ_CST, __ATOMIC_SEQ_CST) ? TRUE : FALSE; \
-                                           ^~~~~~~~~~~~~~~~~~~~~~~~~~~
-```
-
-This complements the existing C++ variant for
-`g_atomic_pointer_compare_and_exchange()`, and fixes a regression on C++
-from https://gitlab.gnome.org/GNOME/glib/-/merge_requests/2114.
-
-With the addition of the unit tests in the previous commit, this is
-effectively tested by the FreeBSD and macOS CI jobs, as they use
-`clang++` in C++ mode. `g++` doesn’t seem to emit a warning about this.
-
-Signed-off-by: Philip Withnall <pwithnall@endlessos.org>
-
-Fixes: #2625
-Upstream-Status: Submitted [https://gitlab.gnome.org/GNOME/glib/-/merge_requests/2578]
-Signed-off-by: Khem Raj <raj.khem@gmail.com>
----
- glib/gatomic.h | 12 ++++++++++++
- 1 file changed, 12 insertions(+)
-
-diff --git a/glib/gatomic.h b/glib/gatomic.h
-index 5eba1dbc7..8b2b880c8 100644
---- a/glib/gatomic.h
-+++ b/glib/gatomic.h
-@@ -152,6 +152,17 @@ G_END_DECLS
-     (void) (0 ? *(atomic) ^ *(atomic) : 1);                                  \
-     __atomic_fetch_sub ((atomic), 1, __ATOMIC_SEQ_CST) == 1;                 \
-   }))
-+#if defined(glib_typeof) && defined(__cplusplus) && __cplusplus >= 201103L
-+/* See comments below about equivalent g_atomic_pointer_compare_and_exchange()
-+ * shenanigans for type-safety when compiling in C++ mode. */
-+#define g_atomic_int_compare_and_exchange(atomic, oldval, newval) \
-+  (G_GNUC_EXTENSION ({                                                       \
-+    glib_typeof (*(atomic)) gaicae_oldval = (oldval);                        \
-+    G_STATIC_ASSERT (sizeof *(atomic) == sizeof (gint));                     \
-+    (void) (0 ? *(atomic) ^ (newval) ^ (oldval) : 1);                        \
-+    __atomic_compare_exchange_n ((atomic), &gaicae_oldval, (newval), FALSE, __ATOMIC_SEQ_CST, __ATOMIC_SEQ_CST) ? TRUE : FALSE; \
-+  }))
-+#else /* if !(defined(glib_typeof) && defined(__cplusplus) && __cplusplus >= 201103L) */
- #define g_atomic_int_compare_and_exchange(atomic, oldval, newval) \
-   (G_GNUC_EXTENSION ({                                                       \
-     gint gaicae_oldval = (oldval);                                           \
-@@ -159,6 +170,7 @@ G_END_DECLS
-     (void) (0 ? *(atomic) ^ (newval) ^ (oldval) : 1);                        \
-     __atomic_compare_exchange_n ((atomic), (void *) (&(gaicae_oldval)), (newval), FALSE, __ATOMIC_SEQ_CST, __ATOMIC_SEQ_CST) ? TRUE : FALSE; \
-   }))
-+#endif /* defined(glib_typeof) */
- #define g_atomic_int_add(atomic, val) \
-   (G_GNUC_EXTENSION ({                                                       \
-     G_STATIC_ASSERT (sizeof *(atomic) == sizeof (gint));                     \
--- 
-2.35.1
-

meta/recipes-core/glib-2.0/glib-2.0/Enable-more-tests-while-cross-compiling.patch

@@ -1,4 +1,4 @@
-From d2d7af496b4f4a13779179dbcbb98de56b09783f Mon Sep 17 00:00:00 2001
+From 1f3c05529c0c9032ae0a289fb1f088b7541fc9b0 Mon Sep 17 00:00:00 2001
 From: Jussi Kukkonen <jussi.kukkonen@intel.com>
 Date: Mon, 9 Nov 2015 11:07:27 +0200
 Subject: [PATCH] Enable more tests while cross-compiling
@@ -9,24 +9,25 @@ case we can depend on glib-2.0-native.
 
 Upstream-Status: Inappropriate [OE specific]
 Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com>
+
 ---
  gio/tests/meson.build | 24 ++++++++++++------------
  1 file changed, 12 insertions(+), 12 deletions(-)
 
 diff --git a/gio/tests/meson.build b/gio/tests/meson.build
-index e8d10a0f11f2..abe676767c60 100644
+index 3ed23a5..5df932a 100644
 --- a/gio/tests/meson.build
 +++ b/gio/tests/meson.build
-@@ -250,7 +250,7 @@ if host_machine.system() != 'windows'
+@@ -253,7 +253,7 @@ if host_machine.system() != 'windows'
+     }
+   endif
  
-   #  Test programs that need to bring up a session bus (requires dbus-daemon)
-   have_dbus_daemon = find_program('dbus-daemon', required : false).found()
 -  if have_dbus_daemon
 +  if true
      annotate_args = [
        '--annotate', 'org.project.Bar', 'Key1', 'Value1',
        '--annotate', 'org.project.Bar', 'org.gtk.GDBus.Internal', 'Value2',
-@@ -601,14 +601,14 @@ if installed_tests_enabled
+@@ -603,14 +603,14 @@ if installed_tests_enabled
    endforeach
  endif
  
@@ -43,7 +44,7 @@ index e8d10a0f11f2..abe676767c60 100644
                 compiler_type,
                 '--target=@OUTPUT@',
                 '--sourcedir=' + meson.current_source_dir(),
-@@ -634,7 +634,7 @@ if not meson.is_cross_build() or meson.has_exe_wrapper()
+@@ -636,7 +636,7 @@ if not meson.is_cross_build() or meson.has_exe_wrapper()
    test_gresource = custom_target('test.gresource',
      input : 'test.gresource.xml',
      output : 'test.gresource',
@@ -52,7 +53,7 @@ index e8d10a0f11f2..abe676767c60 100644
                 compiler_type,
                 '--target=@OUTPUT@',
                 '--sourcedir=' + meson.current_source_dir(),
-@@ -647,7 +647,7 @@ if not meson.is_cross_build() or meson.has_exe_wrapper()
+@@ -649,7 +649,7 @@ if not meson.is_cross_build() or meson.has_exe_wrapper()
    test_resources2_c = custom_target('test_resources2.c',
      input : 'test3.gresource.xml',
      output : 'test_resources2.c',
@@ -61,7 +62,7 @@ index e8d10a0f11f2..abe676767c60 100644
                 compiler_type,
                 '--target=@OUTPUT@',
                 '--sourcedir=' + meson.current_source_dir(),
-@@ -660,7 +660,7 @@ if not meson.is_cross_build() or meson.has_exe_wrapper()
+@@ -662,7 +662,7 @@ if not meson.is_cross_build() or meson.has_exe_wrapper()
    test_resources2_h = custom_target('test_resources2.h',
      input : 'test3.gresource.xml',
      output : 'test_resources2.h',
@@ -70,7 +71,7 @@ index e8d10a0f11f2..abe676767c60 100644
                 compiler_type,
                 '--target=@OUTPUT@',
                 '--sourcedir=' + meson.current_source_dir(),
-@@ -674,7 +674,7 @@ if not meson.is_cross_build() or meson.has_exe_wrapper()
+@@ -676,7 +676,7 @@ if not meson.is_cross_build() or meson.has_exe_wrapper()
      input : 'test2.gresource.xml',
      depends : big_test_resource,
      output : 'test_resources.c',
@@ -79,7 +80,7 @@ index e8d10a0f11f2..abe676767c60 100644
                 compiler_type,
                 '--target=@OUTPUT@',
                 '--sourcedir=' + meson.current_source_dir(),
-@@ -687,7 +687,7 @@ if not meson.is_cross_build() or meson.has_exe_wrapper()
+@@ -689,7 +689,7 @@ if not meson.is_cross_build() or meson.has_exe_wrapper()
    digit_test_resources_c = custom_target('digit_test_resources.c',
      input : '111_digit_test.gresource.xml',
      output : 'digit_test_resources.c',
@@ -88,7 +89,7 @@ index e8d10a0f11f2..abe676767c60 100644
                 compiler_type,
                 '--target=@OUTPUT@',
                 '--sourcedir=' + meson.current_source_dir(),
-@@ -700,7 +700,7 @@ if not meson.is_cross_build() or meson.has_exe_wrapper()
+@@ -702,7 +702,7 @@ if not meson.is_cross_build() or meson.has_exe_wrapper()
    digit_test_resources_h = custom_target('digit_test_resources.h',
      input : '111_digit_test.gresource.xml',
      output : 'digit_test_resources.h',
@@ -97,7 +98,7 @@ index e8d10a0f11f2..abe676767c60 100644
                 compiler_type,
                 '--target=@OUTPUT@',
                 '--sourcedir=' + meson.current_source_dir(),
-@@ -742,11 +742,11 @@ if not meson.is_cross_build() or meson.has_exe_wrapper()
+@@ -744,11 +744,11 @@ if not meson.is_cross_build() or meson.has_exe_wrapper()
  
    ld = find_program('ld', required : false)
  
@@ -111,7 +112,7 @@ index e8d10a0f11f2..abe676767c60 100644
                   compiler_type,
                   '--target=@OUTPUT@',
                   '--sourcedir=' + meson.current_source_dir(),
-@@ -760,7 +760,7 @@ if not meson.is_cross_build() or meson.has_exe_wrapper()
+@@ -762,7 +762,7 @@ if not meson.is_cross_build() or meson.has_exe_wrapper()
      test_resources_binary_c = custom_target('test_resources_binary.c',
        input : 'test5.gresource.xml',
        output : 'test_resources_binary.c',
@@ -120,6 +121,3 @@ index e8d10a0f11f2..abe676767c60 100644
                   compiler_type,
                   '--target=@OUTPUT@',
                   '--sourcedir=' + meson.current_source_dir(),
--- 
-2.34.1
-

meta/recipes-core/glib-2.0/glib-2.0/relocate-modules.patch

@@ -1,4 +1,4 @@
-From d4e95568151cb7a62b6a29a4d2c3f532fd55c98c Mon Sep 17 00:00:00 2001
+From d52b1b530c5d8a1e70ae45d6e2139e9d3f25207f Mon Sep 17 00:00:00 2001
 From: Ross Burton <ross.burton@intel.com>
 Date: Fri, 11 Mar 2016 15:35:55 +0000
 Subject: [PATCH] glib-2.0: relocate the GIO module directory for native builds
@@ -19,10 +19,10 @@ Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com>
  1 file changed, 11 insertions(+), 1 deletion(-)
 
 diff --git a/gio/giomodule.c b/gio/giomodule.c
-index d34037a..7442df6 100644
+index 2a043cc..e2d2310 100644
 --- a/gio/giomodule.c
 +++ b/gio/giomodule.c
-@@ -54,6 +54,8 @@
+@@ -56,6 +56,8 @@
  #ifdef G_OS_WIN32
  #include "gregistrysettingsbackend.h"
  #include "giowin32-priv.h"
@@ -31,7 +31,7 @@ index d34037a..7442df6 100644
  #endif
  #include <glib/gstdio.h>
  
-@@ -1224,7 +1226,15 @@ get_gio_module_dir (void)
+@@ -1267,7 +1269,15 @@ get_gio_module_dir (void)
                                       NULL);
        g_free (install_dir);
  #else

meta/recipes-core/glib-2.0/glib-2.0_2.72.1.bb

@@ -16,12 +16,10 @@ SRC_URI = "${GNOME_MIRROR}/glib/${SHRT_VER}/glib-${PV}.tar.xz \
            file://0001-Do-not-write-bindir-into-pkg-config-files.patch \
            file://0001-meson-Run-atomics-test-on-clang-as-well.patch \
            file://0001-gio-tests-resources.c-comment-out-a-build-host-only-.patch \
-           file://0001-tests-Add-C-tests-for-typechecking-with-atomic-compa.patch \
-           file://0002-gatomic-Add-a-C-variant-of-g_atomic_int_compare_and_.patch \
            "
 SRC_URI:append:class-native = " file://relocate-modules.patch"
 
-SRC_URI[sha256sum] = "d7bef0d4c4e7a62e08efb8e5f252a01357007b9588a87ff2b463a3857011f79d"
+SRC_URI[sha256sum] = "c07e57147b254cef92ce80a0378dc0c02a4358e7de4702e9f403069781095fe2"
 
 # Find any meson cross files in FILESPATH that are relevant for the current
 # build (using siteinfo) and add them to EXTRA_OEMESON.

meta/recipes-core/glibc/glibc-tests_2.35.bb

@@ -1,7 +1,8 @@
 require glibc_${PV}.bb
 require glibc-tests.inc
 
-inherit ptest
+inherit ptest features_check
+REQUIRED_DISTRO_FEATURES = "ptest"
 
 SRC_URI:append = " \
 	file://run-ptest \

meta/recipes-core/images/build-appliance-image_15.0.0.bb

@@ -24,8 +24,8 @@ IMAGE_FSTYPES = "wic.vmdk wic.vhd wic.vhdx"
 
 inherit core-image setuptools3
 
-SRCREV ?= "0674ae7bc46ebfa90c55bbedec6b22dc5f48dacf"
-SRC_URI = "git://git.yoctoproject.org/poky;branch=master \
+SRCREV ?= "93491db3bfe95da71518a52b6190f912c2c2fe9b"
+SRC_URI = "git://git.yoctoproject.org/poky;branch=kirkstone \
            file://Yocto_Build_Appliance.vmx \
            file://Yocto_Build_Appliance.vmxf \
            file://README_VirtualBox_Guest_Additions.txt \

meta/recipes-core/libxml/libxml2/runtest.patch

@@ -5,9 +5,11 @@ Subject: [PATCH] Add 'install-ptest' rule.
 
 Print a standard result line for each test.
 
+The patch needs a rework according to comments in the merge request.
+
 Signed-off-by: Mihaela Sendrea <mihaela.sendrea@enea.com>
 Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
-Upstream-Status: Submitted [https://gitlab.gnome.org/GNOME/libxml2/-/merge_requests/137]
+Upstream-Status: Inappropriate [https://gitlab.gnome.org/GNOME/libxml2/-/merge_requests/137]
 
 Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
 Signed-off-by: Tony Tascioglu <tony.tascioglu@windriver.com>

meta/recipes-core/meta/buildtools-tarball.bb

@@ -69,8 +69,10 @@ create_sdk_files:append () {
 	touch $script
 	echo 'export PATH=${SDKPATHNATIVE}${bindir_nativesdk}:${SDKPATHNATIVE}${sbindir_nativesdk}:${SDKPATHNATIVE}${base_bindir_nativesdk}:${SDKPATHNATIVE}${base_sbindir_nativesdk}:$PATH' >> $script
 	echo 'export OECORE_NATIVE_SYSROOT="${SDKPATHNATIVE}"' >> $script
-	echo 'export GIT_SSL_CAINFO="${SDKPATHNATIVE}${sysconfdir}/ssl/certs/ca-certificates.crt"' >>$script
-	echo 'export SSL_CERT_FILE="${SDKPATHNATIVE}${sysconfdir}/ssl/certs/ca-certificates.crt"' >>$script
+	if [ -e "${SDK_OUTPUT}${SDKPATHNATIVE}${sysconfdir}/ssl/certs/ca-certificates.crt" ]; then
+		echo 'export GIT_SSL_CAINFO="${SDKPATHNATIVE}${sysconfdir}/ssl/certs/ca-certificates.crt"' >>$script
+		echo 'export SSL_CERT_FILE="${SDKPATHNATIVE}${sysconfdir}/ssl/certs/ca-certificates.crt"' >>$script
+	fi
 
 	toolchain_create_sdk_version ${SDK_OUTPUT}/${SDKPATH}/version-${SDK_SYS}
 

meta/recipes-core/meta/cve-update-db-native.bb

@@ -13,6 +13,9 @@ deltask do_install
 deltask do_populate_sysroot
 
 NVDCVE_URL ?= "https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-"
+# CVE database update interval, in seconds. By default: once a day (24*60*60).
+# Use 0 to force the update
+CVE_DB_UPDATE_INTERVAL ?= "86400"
 
 python () {
     if not bb.data.inherits_class("cve-check", d):
@@ -43,12 +46,17 @@ python do_fetch() {
         if os.path.exists(db_file):
             os.remove(db_file)
 
-    # Don't refresh the database more than once an hour
+    # The NVD database changes once a day, so no need to update more frequently
+    # Allow the user to force-update
     try:
         import time
-        if time.time() - os.path.getmtime(db_file) < (60*60):
+        update_interval = int(d.getVar("CVE_DB_UPDATE_INTERVAL"))
+        if (update_interval < 0):
+            update_interval = 0
+        if time.time() - os.path.getmtime(db_file) < update_interval:
             bb.debug(2, "Recently updated, skipping")
             return
+
     except OSError:
         pass
 

meta/recipes-core/musl/gcompat_git.bb

@@ -37,14 +37,14 @@ do_compile () {
 }
 
 do_install () {
-	oe_runmake install 'DESTDIR=${D}'
+	oe_runmake install 'DESTDIR=${D}${root_prefix}'
 	if [ "${SITEINFO_BITS}" = "64" ]; then
-		install -d ${D}/lib64
-		ln -rs ${D}${GLIBC_LDSO} ${D}/lib64/`basename ${GLIBC_LDSO}`
+		install -d ${D}${nonarch_base_libdir}${SITEINFO_BITS}
+		ln -rs ${D}${GLIBC_LDSO} ${D}${nonarch_base_libdir}${SITEINFO_BITS}/`basename ${GLIBC_LDSO}`
 	fi
 }
 
-FILES:${PN} += "/lib64"
+FILES:${PN} += "${nonarch_base_libdir}${SITEINFO_BITS}"
 
 INSANE_SKIP:${PN} = "libdir"
 

meta/recipes-core/musl/musl_git.bb

@@ -49,7 +49,7 @@ CONFIGUREOPTS = " \
     --bindir=${bindir} \
     --libdir=${libdir} \
     --includedir=${includedir} \
-    --syslibdir=/lib \
+    --syslibdir=${nonarch_base_libdir} \
 "
 
 do_configure() {
@@ -62,14 +62,14 @@ do_compile() {
 
 do_install() {
 	oe_runmake install DESTDIR='${D}'
-	install -d ${D}${bindir} ${D}/lib ${D}${sysconfdir}
+	install -d ${D}${bindir} ${D}${sysconfdir}
         echo "${base_libdir}" > ${D}${sysconfdir}/ld-musl-${MUSL_LDSO_ARCH}.path
         echo "${libdir}" >> ${D}${sysconfdir}/ld-musl-${MUSL_LDSO_ARCH}.path
 	rm -f ${D}${bindir}/ldd ${D}${GLIBC_LDSO}
 	ln -rs ${D}${libdir}/libc.so ${D}${bindir}/ldd
 }
 
-FILES:${PN} += "/lib/ld-musl-${MUSL_LDSO_ARCH}.so.1 ${sysconfdir}/ld-musl-${MUSL_LDSO_ARCH}.path"
+FILES:${PN} += "${nonarch_base_libdir}/ld-musl-${MUSL_LDSO_ARCH}.so.1 ${sysconfdir}/ld-musl-${MUSL_LDSO_ARCH}.path"
 FILES:${PN}-staticdev = "${libdir}/libc.a"
 FILES:${PN}-dev =+ "${libdir}/libcrypt.a ${libdir}/libdl.a ${libdir}/libm.a \
                     ${libdir}/libpthread.a ${libdir}/libresolv.a \

meta/recipes-core/ncurses/ncurses.inc

@@ -2,7 +2,7 @@ SUMMARY = "The New Curses library"
 DESCRIPTION = "SVr4 and XSI-Curses compatible curses library and terminfo tools including tic, infocmp, captoinfo. Supports color, multiple highlights, forms-drawing characters, and automatic recognition of keypad and function-key sequences. Extensions include resizable windows and mouse support on both xterm and Linux console using the gpm library."
 HOMEPAGE = "http://www.gnu.org/software/ncurses/ncurses.html"
 LICENSE = "MIT"
-LIC_FILES_CHKSUM = "file://ncurses/base/version.c;beginline=1;endline=27;md5=5526f2f3a29edc95538b368a4771edda"
+LIC_FILES_CHKSUM = "file://COPYING;md5=9529289636145d1bf093c96af067695a;endline=27"
 SECTION = "libs"
 DEPENDS = "ncurses-native"
 DEPENDS:class-native = ""

meta/recipes-core/seatd/seatd_0.6.4.bb

@@ -13,6 +13,9 @@ S = "${WORKDIR}/git"
 
 inherit meson pkgconfig update-rc.d
 
+# https://www.openwall.com/lists/musl/2020/01/20/3
+CFLAGS:append:libc-musl:powerpc64le = " -Wno-error=overflow"
+
 PACKAGECONFIG ?= " \
 	${@bb.utils.filter('DISTRO_FEATURES', 'systemd', d)} \
 	libseat-builtin \

meta/recipes-core/systemd/systemd-boot_250.4.bb

@@ -19,7 +19,6 @@ objcopy = ${@meson_array('OBJCOPY', d)}
 EOF
 }
 
-# need to use ${HOST_PREFIX} here, otherwise ld.bfd could be used from HOSTTOOLS_NONFATAL
 EFI_LD = "bfd"
 
 EXTRA_OEMESON += "-Defi=true \

meta/recipes-core/systemd/systemd_250.4.bb

@@ -337,10 +337,6 @@ do_install() {
 	# create link for existing udev rules
 	ln -s ${base_bindir}/udevadm ${D}${base_sbindir}/udevadm
 
-	# duplicate udevadm for postinst script
-	install -d ${D}${libexecdir}
-	ln ${D}${base_bindir}/udevadm ${D}${libexecdir}/${MLPREFIX}udevadm
-
 	# install default policy for presets
 	# https://www.freedesktop.org/wiki/Software/systemd/Preset/#howto
 	install -Dm 0644 ${WORKDIR}/99-default.preset ${D}${systemd_unitdir}/system-preset/99-default.preset
@@ -718,7 +714,6 @@ FILES:udev += "${base_sbindir}/udevd \
                ${base_bindir}/systemd-hwdb \
                ${base_bindir}/udevadm \
                ${base_sbindir}/udevadm \
-               ${libexecdir}/${MLPREFIX}udevadm \
                ${datadir}/bash-completion/completions/udevadm \
                ${systemd_system_unitdir}/systemd-hwdb-update.service \
               "

meta/recipes-core/udev/eudev_3.2.10.bb

@@ -51,10 +51,6 @@ do_install:append() {
 
 	# hid2hci has moved to bluez4. removed in udev as of version 169
 	rm -f ${D}${base_libdir}/udev/hid2hci
-
-	# duplicate udevadm for postinst script
-	install -d ${D}${libexecdir}
-	ln ${D}${bindir}/udevadm ${D}${libexecdir}/${MLPREFIX}udevadm
 }
 
 do_install:prepend:class-target () {

meta/recipes-core/util-linux/util-linux_2.37.4.bb

@@ -221,6 +221,7 @@ ALTERNATIVE_LINK_NAME[dmesg] = "${base_bindir}/dmesg"
 ALTERNATIVE_LINK_NAME[eject] = "${bindir}/eject"
 ALTERNATIVE_LINK_NAME[fallocate] = "${bindir}/fallocate"
 ALTERNATIVE_LINK_NAME[fdisk] = "${base_sbindir}/fdisk"
+ALTERNATIVE_LINK_NAME[findfs] = "${sbindir}/findfs"
 ALTERNATIVE_LINK_NAME[flock] = "${bindir}/flock"
 ALTERNATIVE_LINK_NAME[fsck] = "${base_sbindir}/fsck"
 ALTERNATIVE_LINK_NAME[fsfreeze] = "${sbindir}/fsfreeze"

meta/recipes-core/volatile-binds/files/volatile-binds.service.in

@@ -1,6 +1,6 @@
 [Unit]
 Description=Bind mount volatile @where@
-DefaultDependencies=false
+DefaultDependencies=no
 Before=local-fs.target
 RequiresMountsFor=@whatparent@ @whereparent@
 ConditionPathIsReadWrite=@whatparent@

meta/recipes-devtools/apt/apt_2.4.5.bb

@@ -25,7 +25,7 @@ SRC_URI:append:class-nativesdk = " \
            file://0001-Revert-always-run-dpkg-configure-a-at-the-end-of-our.patch \
            "
 
-SRC_URI[sha256sum] = "5a7215ca924302da0b2205862cd2d651326eea222a589184ec6ce663885729f7"
+SRC_URI[sha256sum] = "5552f175c3a3924f5cda0c079b821b30f68a2521959f2c30ab164d2ec7993ecf"
 LIC_FILES_CHKSUM = "file://COPYING.GPL;md5=b234ee4d69f5fce4486a80fdaf4a4263"
 
 # the package is taken from snapshots.debian.org; that source is static and goes stale

meta/recipes-devtools/e2fsprogs/e2fsprogs/extents.patch

@@ -0,0 +1,56 @@
+CVE: CVE-2022-1304
+Upstream-Status: Submitted [https://lore.kernel.org/linux-ext4/20220421173148.20193-1-lczerner@redhat.com/]
+Signed-off-by: Ross Burton <ross.burton@arm.com>
+
+From 347084c9c1ad20f47dae16f5a3dcd8628d5fc7b0 Mon Sep 17 00:00:00 2001
+From: Lukas Czerner <lczerner@redhat.com>
+Date: Thu, 21 Apr 2022 19:31:48 +0200
+Subject: [PATCH] e2fsprogs: add sanity check to extent manipulation
+
+It is possible to have a corrupted extent tree in such a way that a leaf
+node contains zero extents in it. Currently if that happens and we try
+to traverse the tree we can end up accessing wrong data, or possibly
+even uninitialized memory. Make sure we don't do that.
+
+Additionally make sure that we have a sane number of bytes passed to
+memmove() in ext2fs_extent_delete().
+
+Note that e2fsck is currently unable to spot and fix such corruption in
+pass1.
+
+Signed-off-by: Lukas Czerner <lczerner@redhat.com>
+Reported-by: Nils Bars <nils_bars@t-online.de>
+Addressess: https://bugzilla.redhat.com/show_bug.cgi?id=2068113
+---
+ lib/ext2fs/extent.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/lib/ext2fs/extent.c b/lib/ext2fs/extent.c
+index b324c7b0..1a206a16 100644
+--- a/lib/ext2fs/extent.c
++++ b/lib/ext2fs/extent.c
+@@ -495,6 +495,10 @@ retry:
+ 			ext2fs_le16_to_cpu(eh->eh_entries);
+ 		newpath->max_entries = ext2fs_le16_to_cpu(eh->eh_max);
+ 
++		/* Make sure there is at least one extent present */
++		if (newpath->left <= 0)
++			return EXT2_ET_EXTENT_NO_DOWN;
++
+ 		if (path->left > 0) {
+ 			ix++;
+ 			newpath->end_blk = ext2fs_le32_to_cpu(ix->ei_block);
+@@ -1630,6 +1634,10 @@ errcode_t ext2fs_extent_delete(ext2_extent_handle_t handle, int flags)
+ 
+ 	cp = path->curr;
+ 
++	/* Sanity check before memmove() */
++	if (path->left < 0)
++		return EXT2_ET_EXTENT_LEAF_BAD;
++
+ 	if (path->left) {
+ 		memmove(cp, cp + sizeof(struct ext3_extent_idx),
+ 			path->left * sizeof(struct ext3_extent_idx));
+-- 
+2.25.1
+

meta/recipes-devtools/e2fsprogs/e2fsprogs_1.46.5.bb

@@ -4,6 +4,7 @@ SRC_URI += "file://remove.ldconfig.call.patch \
            file://run-ptest \
            file://ptest.patch \
            file://mkdir_p.patch \
+           file://extents.patch \
            "
 SRC_URI:append:class-native = " \
            file://e2fsprogs-fix-missing-check-for-permission-denied.patch \

meta/recipes-devtools/git/git_2.35.3.bb

@@ -2,7 +2,7 @@ SUMMARY = "Distributed version control system"
 HOMEPAGE = "http://git-scm.com"
 DESCRIPTION = "Git is a free and open source distributed version control system designed to handle everything from small to very large projects with speed and efficiency."
 SECTION = "console/utils"
-LICENSE = "GPL-2.0-only"
+LICENSE = "GPL-2.0-only & GPL-2.0-or-later & BSD-3-Clause & MIT & BSL-1.0 & LGPL-2.1-or-later"
 DEPENDS = "openssl zlib"
 
 PROVIDES:append:class-native = " git-replacement-native"
@@ -14,7 +14,16 @@ SRC_URI = "${KERNELORG_MIRROR}/software/scm/git/git-${PV}.tar.gz;name=tarball \
 
 S = "${WORKDIR}/git-${PV}"
 
-LIC_FILES_CHKSUM = "file://COPYING;md5=7c0d7ef03a7eb04ce795b0f60e68e7e1"
+LIC_FILES_CHKSUM = "\
+	file://COPYING;md5=7c0d7ef03a7eb04ce795b0f60e68e7e1 \
+	file://reftable/LICENSE;md5=1a6424cafc4c9c88c689848e165af33b \
+	file://sha1dc/LICENSE.txt;md5=9bbe4c990a9e98ea4b98ef5d3bcb8a7a \
+	file://compat/nedmalloc/License.txt;md5=e4224ccaecb14d942c71d31bef20d78c \
+	file://compat/inet_ntop.c;md5=76593c6f74e8ced5b24520175688d59b;endline=16 \
+	file://compat/obstack.h;md5=08ad25fee5428cd879ceef451ce3a22e;endline=18 \
+	file://compat/poll/poll.h;md5=9fc00170a53b8e3e52157c91ac688dd1;endline=19 \
+	file://compat/regex/regex.h;md5=30cc8af0e6f0f8a25acec6d8783bb763;beginline=4;endline=22 \
+"
 
 CVE_PRODUCT = "git-scm:git"
 
@@ -156,4 +165,4 @@ EXTRA_OECONF += "ac_cv_snprintf_returns_bogus=no \
                  "
 EXTRA_OEMAKE += "NO_GETTEXT=1"
 
-SRC_URI[tarball.sha256sum] = "0decc02a47e792f522df3183c38a61ad8fbb38927502ca6781467a6599a888cb"
+SRC_URI[tarball.sha256sum] = "cad708072d5c0b390c71651f5edb44143f00b357766973470bf9adebc0944c03"

meta/recipes-devtools/python/python3_3.10.4.bb

@@ -55,6 +55,9 @@ CVE_CHECK_IGNORE += "CVE-2007-4559"
 CVE_CHECK_IGNORE += "CVE-2019-18348"
 # These are specific to Microsoft Windows
 CVE_CHECK_IGNORE += "CVE-2020-15523 CVE-2022-26488"
+# The mailcap module is insecure by design, so this can't be fixed in a meaningful way.
+# The module will be removed in the future and flaws documented.
+CVE_CHECK_IGNORE += "CVE-2015-20107"
 
 PYTHON_MAJMIN = "3.10"
 

meta/recipes-devtools/qemu/qemu.inc

@@ -196,6 +196,7 @@ PACKAGECONFIG[libnfs] = "--enable-libnfs,--disable-libnfs,libnfs"
 PACKAGECONFIG[pmem] = "--enable-libpmem,--disable-libpmem,pmdk"
 PACKAGECONFIG[pulsedio] = "--enable-pa,--disable-pa,pulseaudio"
 PACKAGECONFIG[selinux] = "--enable-selinux,--disable-selinux"
+PACKAGECONFIG[bpf] = "--enable-bpf,--disable-bpf,libbpf"
 
 INSANE_SKIP:${PN} = "arch"
 

meta/recipes-devtools/ruby/ruby_3.1.2.bb

@@ -14,7 +14,7 @@ SRC_URI += " \
            file://0001-vm_dump.c-Define-REG_S1-and-REG_S2-for-musl-riscv.patch \
            "
 
-SRC_URI[sha256sum] = "fe6e4782de97443978ddba8ba4be38d222aa24dc3e3f02a6a8e7701c0eeb619d"
+SRC_URI[sha256sum] = "61843112389f02b735428b53bb64cf988ad9fb81858b8248e22e57336f24a83e"
 
 PACKAGECONFIG ??= ""
 PACKAGECONFIG += "${@bb.utils.filter('DISTRO_FEATURES', 'ipv6', d)}"

meta/recipes-devtools/strace/strace/0001-landlock-update-expected-string.patch

@@ -0,0 +1,67 @@
+From d0dae2fb30b907bc9bf70382f37c9e00207ae036 Mon Sep 17 00:00:00 2001
+From: Bruce Ashfield <bruce.ashfield@gmail.com>
+Date: Sat, 30 Apr 2022 01:09:42 -0400
+Subject: [PATCH] landlock: update expected string
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Kernel commit:
+
+  commit 3d4b396a616d0d67bf95d6823ad1197f6247292e
+  Author: Christian Brauner <christian.brauner@ubuntu.com>
+  Date:   Mon Oct 11 15:37:04 2021 +0200
+
+      landlock: Use square brackets around "landlock-ruleset"
+
+      commit aea0b9f2486da8497f35c7114b764bf55e17c7ea upstream.
+
+      Make the name of the anon inode fd "[landlock-ruleset]" instead of
+      "landlock-ruleset". This is minor but most anon inode fds already
+      carry square brackets around their name:
+
+          [eventfd]
+          [eventpoll]
+          [fanotify]
+          [fscontext]
+          [io_uring]
+          [pidfd]
+          [signalfd]
+          [timerfd]
+          [userfaultfd]
+
+      For the sake of consistency lets do the same for the landlock-ruleset anon
+      inode fd that comes with landlock. We did the same in
+      1cdc415f1083 ("uapi, fsopen: use square brackets around "fscontext" [ver #2]")
+      for the new mount api.
+
+      Cc: linux-security-module@vger.kernel.org
+      Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
+      Link: https://lore.kernel.org/r/20211011133704.1704369-1-brauner@kernel.org
+      Cc: stable@vger.kernel.org
+      Signed-off-by: Mickaël Salaün <mic@linux.microsoft.com>
+      Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+Changed the format of the landlock tracing. We need to update the strace
+expected string to match.
+
+Upstream-Status: Submitted [https://lists.strace.io/pipermail/strace-devel/2022-April/011064.html]
+
+Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
+---
+ tests/landlock_create_ruleset-y.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tests/landlock_create_ruleset-y.c b/tests/landlock_create_ruleset-y.c
+index a30966b..50e19c2 100644
+--- a/tests/landlock_create_ruleset-y.c
++++ b/tests/landlock_create_ruleset-y.c
+@@ -1,4 +1,4 @@
+-#define FD_PATH "<anon_inode:landlock-ruleset>"
++#define FD_PATH "<anon_inode:[landlock-ruleset]>"
+ #define SKIP_IF_PROC_IS_UNAVAILABLE skip_if_unavailable("/proc/self/fd/")
+ 
+ #include "landlock_create_ruleset.c"
+-- 
+2.19.1
+

meta/recipes-devtools/strace/strace_5.16.bb

@@ -13,6 +13,7 @@ SRC_URI = "https://strace.io/files/${PV}/strace-${PV}.tar.xz \
            file://ptest-spacesave.patch \
            file://0001-strace-fix-reproducibilty-issues.patch \
            file://skip-load.patch \
+           file://0001-landlock-update-expected-string.patch \
            "
 SRC_URI[sha256sum] = "dc7db230ff3e57c249830ba94acab2b862da1fcaac55417e9b85041a833ca285"
 

meta/recipes-devtools/subversion/subversion/disable_macos.patch

@@ -1,71 +0,0 @@
-From 9c350c037ca3489dbeece6ecc2d7e2e5dbb177e9 Mon Sep 17 00:00:00 2001
-From: Hongxu Jia <hongxu.jia@windriver.com>
-Date: Sat, 11 May 2019 15:21:46 +0800
-Subject: [PATCH] These tests don't work in cross compiling, just disable them
- for now, we don't build subversion on OS-X at this time.
-
-RP 1014/7/16
-
-Upstream-Status: Pending [needs a rewrite to support a cache value]
-
-Rebase to 1.12.0
-
-Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
----
- build/ac-macros/macosx.m4 | 31 +------------------------------
- 1 file changed, 1 insertion(+), 30 deletions(-)
-
-diff --git a/build/ac-macros/macosx.m4 b/build/ac-macros/macosx.m4
-index 92fa58e..a568e1c 100644
---- a/build/ac-macros/macosx.m4
-+++ b/build/ac-macros/macosx.m4
-@@ -24,21 +24,7 @@ dnl Check for _dyld_image_name and _dyld_image_header availability
- AC_DEFUN(SVN_LIB_MACHO_ITERATE,
- [
-   AC_MSG_CHECKING([for Mach-O dynamic module iteration functions])
--  AC_RUN_IFELSE([AC_LANG_PROGRAM([[
--    #include <mach-o/dyld.h>
--    #include <mach-o/loader.h>
--  ]],[[
--    const struct mach_header *header = _dyld_get_image_header(0);
--    const char *name = _dyld_get_image_name(0);
--    if (name && header) return 0;
--    return 1;
--  ]])],[
--    AC_DEFINE([SVN_HAVE_MACHO_ITERATE], [1],
--              [Is Mach-O low-level _dyld API available?])
--    AC_MSG_RESULT([yes])
--  ],[
-     AC_MSG_RESULT([no])
--  ])
- ])
- 
- dnl SVN_LIB_MACOS_PLIST
-@@ -46,23 +32,8 @@ dnl Assign variables for Mac OS property list support
- AC_DEFUN(SVN_LIB_MACOS_PLIST,
- [
-   AC_MSG_CHECKING([for Mac OS property list utilities])
--
--  AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
--    #include <AvailabilityMacros.h>
--    #if !defined(MAC_OS_X_VERSION_MAX_ALLOWED) \
--     || !defined(MAC_OS_X_VERSION_10_0) \
--     || (MAC_OS_X_VERSION_MAX_ALLOWED <= MAC_OS_X_VERSION_10_0)
--    #error ProperyList API unavailable.
--    #endif
--  ]],[[]])],[
--    SVN_MACOS_PLIST_LIBS="-framework CoreFoundation"
--    AC_SUBST(SVN_MACOS_PLIST_LIBS)
--    AC_DEFINE([SVN_HAVE_MACOS_PLIST], [1],
--              [Is Mac OS property list API available?])
--    AC_MSG_RESULT([yes])
--  ],[
-+  AC_SUBST([SVN_MACOS_PLIST_LIBS], [""])
-     AC_MSG_RESULT([no])
--  ])
- ])
- 
- dnl SVN_LIB_MACOS_KEYCHAIN
--- 
-2.7.4
-

meta/recipes-devtools/subversion/subversion_1.14.2.bb

@@ -9,11 +9,10 @@ DEPENDS = "apr-util serf sqlite3 file lz4"
 DEPENDS:append:class-native = " file-replacement-native"
 
 SRC_URI = "${APACHE_MIRROR}/${BPN}/${BPN}-${PV}.tar.bz2 \
-           file://disable_macos.patch \
            file://serfmacro.patch \
            "
 
-SRC_URI[sha256sum] = "2c5da93c255d2e5569fa91d92457fdb65396b0666fad4fd59b22e154d986e1a9"
+SRC_URI[sha256sum] = "c9130e8d0b75728a66f0e7038fc77052e671830d785b5616aad53b4810d3cc28"
 
 inherit autotools pkgconfig gettext python3native
 

meta/recipes-extended/go-examples/go-helloworld_0.1.bb

@@ -11,7 +11,7 @@ UPSTREAM_CHECK_COMMITS = "1"
 
 GO_IMPORT = "golang.org/x/example"
 GO_INSTALL = "${GO_IMPORT}/hello"
-GO_WORKDIR = "${GO_INSTALL}"
+
 export GO111MODULE="off"
 
 inherit go

meta/recipes-extended/mdadm/mdadm_4.2.bb

@@ -35,8 +35,6 @@ DEPENDS = "udev"
 SYSTEMD_SERVICE:${PN} = "mdmonitor.service"
 SYSTEMD_AUTO_ENABLE = "disable"
 
-CFLAGS:append:toolchain-clang = " -Wno-error=address-of-packed-member"
-
 # PPC64 and MIPS64 uses long long for u64 in the kernel, but powerpc's asm/types.h
 # prevents 64-bit userland from seeing this definition, instead defaulting
 # to u64 == long in userspace. Define __SANE_USERSPACE_TYPES__ to get