migration-guides: add release notes for 4.0.32

(From yocto-docs rev: 398a2a080361eb22b9c447dbde31fca58bf4e0bb)

Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
(cherry picked from commit 095981c08b9d63905472df5d1d60c07af96f0250)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

bitbake/lib/bb/tests/fetch.py

@@ -1335,7 +1335,7 @@ class FetchLatestVersionTest(FetcherTest):
         # combination version pattern
         ("sysprof", "git://git.yoctoproject.org/sysprof.git;protocol=https;branch=master", "cd44ee6644c3641507fb53b8a2a69137f2971219", "")
             : "1.2.0",
-        ("u-boot-mkimage", "git://source.denx.de/u-boot/u-boot.git;branch=master;protocol=https", "62c175fbb8a0f9a926c88294ea9f7e88eb898f6c", "")
+        ("u-boot-mkimage", "git://git.yoctoproject.org/bbfetchtests-u-boot.git;branch=master;protocol=https", "62c175fbb8a0f9a926c88294ea9f7e88eb898f6c", "")
             : "2014.01",
         # version pattern "yyyymmdd"
         ("mobile-broadband-provider-info", "git://git.yoctoproject.org/mobile-broadband-provider-info.git;protocol=https;branch=master", "4ed19e11c2975105b71b956440acdb25d46a347d", "")

documentation/README

@@ -429,5 +429,22 @@ both the Yocto Project and BitBake manuals:
 Submitting documentation changes
 ================================
 
-Please see the top level README file in this repository for details of where
-to send patches.
+Please refer to our contributor guide here: https://docs.yoctoproject.org/contributor-guide/
+for full details on how to submit changes.
+
+As a quick guide, patches should be sent to docs@lists.yoctoproject.org
+The git command to do that would be:
+
+     git send-email -M -1 --to docs@lists.yoctoproject.org
+
+The 'To' header can be set as default for this repository:
+
+     git config sendemail.to docs@lists.yoctoproject.org
+
+Now you can just do 'git send-email origin/master..' to send all local patches.
+
+Read the other sections in this document and documentation/standards.md for
+rules to follow when contributing to the documentation.
+
+Git repository: https://git.yoctoproject.org/yocto-docs
+Mailing list: docs@lists.yoctoproject.org

documentation/brief-yoctoprojectqs/index.rst

@@ -57,7 +57,7 @@ following requirements:
    :ref:`dev-manual/start:preparing the build host`
    section in the Yocto Project Development Tasks Manual.
 
--
+-  Ensure that the following utilities have these minimum version numbers:
 
    -  Git &MIN_GIT_VERSION; or greater
    -  tar &MIN_TAR_VERSION; or greater
@@ -65,7 +65,7 @@ following requirements:
    -  gcc &MIN_GCC_VERSION; or greater.
    -  GNU make &MIN_MAKE_VERSION; or greater
 
-If your build host does not meet any of these three listed version
+If your build host does not satisfy all of the above version
 requirements, you can take steps to prepare the system so that you
 can still use the Yocto Project. See the
 :ref:`ref-manual/system-requirements:required git, tar, python, make and gcc versions`
@@ -182,7 +182,7 @@ an entire Linux distribution, including the toolchain, from source.
       page of the Yocto Project Wiki.
 
 #. **Initialize the Build Environment:** From within the ``poky``
-   directory, run the :ref:`ref-manual/structure:\`\`oe-init-build-env\`\``
+   directory, run the :ref:`ref-manual/structure:``oe-init-build-env```
    environment
    setup script to define Yocto Project's build environment on your
    build host.
@@ -252,7 +252,7 @@ an entire Linux distribution, including the toolchain, from source.
       file in the :term:`Build Directory`::
 
          BB_HASHSERVE_UPSTREAM = "hashserv.yoctoproject.org:8686"
-         SSTATE_MIRRORS ?= "file://.* http://cdn.jsdelivr.net/yocto/sstate/all/PATH;downloadfilename=PATH"
+         SSTATE_MIRRORS ?= "file://.* http://sstate.yoctoproject.org/all/PATH;downloadfilename=PATH"
          BB_HASHSERVE = "auto"
          BB_SIGNATURE_HANDLER = "OEEquivHash"
 

documentation/bsp-guide/bsp.rst

@@ -81,7 +81,7 @@ directory of that Layer. This directory is what you add to the
 ``conf/bblayers.conf`` file found in your
 :term:`Build Directory`, which is
 established after you run the OpenEmbedded build environment setup
-script (i.e. :ref:`ref-manual/structure:\`\`oe-init-build-env\`\``).
+script (i.e. :ref:`ref-manual/structure:``oe-init-build-env```).
 Adding the root directory allows the :term:`OpenEmbedded Build System`
 to recognize the BSP
 layer and from it build an image. Here is an example::
@@ -230,7 +230,7 @@ section.
 
 #. *Initialize the Build Environment:* While in the root directory of
    the Source Directory (i.e. ``poky``), run the
-   :ref:`ref-manual/structure:\`\`oe-init-build-env\`\`` environment
+   :ref:`ref-manual/structure:``oe-init-build-env``` environment
    setup script to define the OpenEmbedded build environment on your
    build host. ::
 
@@ -675,21 +675,21 @@ to the kernel recipe by using a similarly named append file, which is
 located in the BSP Layer for your target device (e.g. the
 ``meta-bsp_root_name/recipes-kernel/linux`` directory).
 
-Suppose you are using the ``linux-yocto_4.4.bb`` recipe to build the
+Suppose you are using the ``linux-yocto_6.12.bb`` recipe to build the
 kernel. In other words, you have selected the kernel in your
 ``"bsp_root_name".conf`` file by adding
 :term:`PREFERRED_PROVIDER` and :term:`PREFERRED_VERSION`
 statements as follows::
 
    PREFERRED_PROVIDER_virtual/kernel ?= "linux-yocto"
-   PREFERRED_VERSION_linux-yocto ?= "4.4%"
+   PREFERRED_VERSION_linux-yocto ?= "6.12%"
 
 .. note::
 
    When the preferred provider is assumed by default, the :term:`PREFERRED_PROVIDER`
    statement does not appear in the ``"bsp_root_name".conf`` file.
 
-You would use the ``linux-yocto_4.4.bbappend`` file to append specific
+You would use the ``linux-yocto_6.12.bbappend`` file to append specific
 BSP settings to the kernel, thus configuring the kernel for your
 particular BSP.
 
@@ -699,14 +699,19 @@ in the Yocto Project Linux Kernel Development Manual.
 
 An alternate scenario is when you create your own kernel recipe for the
 BSP. A good example of this is the Raspberry Pi BSP. If you examine the
-``recipes-kernel/linux`` directory you see the following::
+``recipes-kernel/linux`` directory in that layer you see the following
+Raspberry Pi-specific recipes and associated files::
 
+   files/
+   linux-raspberrypi_6.12.bb
+   linux-raspberrypi_6.1.bb
+   linux-raspberrypi_6.6.bb
    linux-raspberrypi-dev.bb
    linux-raspberrypi.inc
-   linux-raspberrypi_4.14.bb
-   linux-raspberrypi_4.9.bb
-
-The directory contains three kernel recipes and a common include file.
+   linux-raspberrypi-v7_6.12.bb
+   linux-raspberrypi-v7_6.1.bb
+   linux-raspberrypi-v7_6.6.bb
+   linux-raspberrypi-v7.inc
 
 Developing a Board Support Package (BSP)
 ========================================
@@ -1179,7 +1184,7 @@ Use these steps to create a BSP layer:
 
 -  *Create a Kernel Recipe:* Create a kernel recipe in
    ``recipes-kernel/linux`` by either using a kernel append file or a
-   new custom kernel recipe file (e.g. ``linux-yocto_4.12.bb``). The BSP
+   new custom kernel recipe file (e.g. ``linux-yocto_6.12.bb``). The BSP
    layers mentioned in the previous step also contain different kernel
    examples. See the ":ref:`kernel-dev/common:modifying an existing recipe`"
    section in the Yocto Project Linux Kernel Development Manual for

documentation/conf.py

@@ -13,6 +13,7 @@
 # documentation root, use os.path.abspath to make it absolute, like shown here.
 #
 import os
+import re
 import sys
 import datetime
 try:
@@ -165,6 +166,24 @@ latex_elements = {
     'preamble': '\\setcounter{tocdepth}{2}',
 }
 
+
+from sphinx.search import SearchEnglish
+from sphinx.search import languages
+class DashFriendlySearchEnglish(SearchEnglish):
+
+    # Accept words that can include 'inner' hyphens or dots
+    _word_re = re.compile(r'[\w]+(?:[\.\-][\w]+)*')
+
+    js_splitter_code = r"""
+function splitQuery(query) {
+    return query
+        .split(/[^\p{Letter}\p{Number}_\p{Emoji_Presentation}\-\.]+/gu)
+        .filter(term => term.length > 0);
+}
+"""
+
+languages['en'] = DashFriendlySearchEnglish
+
 # Make the EPUB builder prefer PNG to SVG because of issues rendering Inkscape SVG
 from sphinx.builders.epub3 import Epub3Builder
 Epub3Builder.supported_image_types = ['image/png', 'image/gif', 'image/jpeg']

documentation/contributor-guide/recipe-style-guide.rst

@@ -221,6 +221,20 @@ Recipes need to define both the :term:`LICENSE` and
    ``meta/files/common-licenses/`` or the :term:`SPDXLICENSEMAP` flag names
    defined in ``meta/conf/licenses.conf``.
 
+   .. note::
+
+      Setting a :term:`LICENSE` in a recipe applies to the software to be built
+      by this recipe, not to the recipe file itself. The license of recipes,
+      configuration files and scripts should also be clearly specified, for
+      example via comments or via a license found in the :term:`layer` that
+      holds these files. These license files are usually found at the root of
+      the layer. Exceptions should be clearly stated in the layer README or
+      LICENSE file.
+
+      For example, the :term:`OpenEmbedded-Core (OE-Core)` layer provides both
+      the GPL-2.0-only and MIT license files, and a "LICENSE" file to explain
+      how these two licenses are attributed to files found in the layer.
+
 -  :term:`LIC_FILES_CHKSUM`: The OpenEmbedded build system uses this
    variable to make sure the license text has not changed. If it has,
    the build produces an error and it affords you the chance to figure

documentation/contributor-guide/submit-changes.rst

@@ -123,110 +123,116 @@ to add the upgraded version.
 
       $ git commit -s file1 file2 dir1 dir2 ...
 
-   To include **a**\ ll staged files::
+   To include all staged files::
 
       $ git commit -sa
 
-   -  The ``-s`` option of ``git commit`` adds a "Signed-off-by:" line
-      to your commit message. There is the same requirement for contributing
-      to the Linux kernel. Adding such a line signifies that you, the
-      submitter, have agreed to the `Developer's Certificate of Origin 1.1
-      <https://www.kernel.org/doc/html/latest/process/submitting-patches.html#sign-your-work-the-developer-s-certificate-of-origin>`__
-      as follows:
+   #.  The ``-s`` option of ``git commit`` adds a "Signed-off-by:" line
+       to your commit message. There is the same requirement for contributing
+       to the Linux kernel. Adding such a line signifies that you, the
+       submitter, have agreed to the `Developer's Certificate of Origin 1.1
+       <https://www.kernel.org/doc/html/latest/process/submitting-patches.html#sign-your-work-the-developer-s-certificate-of-origin>`__
+       as follows:
 
-      .. code-block:: none
+       .. code-block:: none
 
-         Developer's Certificate of Origin 1.1
+          Developer's Certificate of Origin 1.1
 
-         By making a contribution to this project, I certify that:
+          By making a contribution to this project, I certify that:
 
-         (a) The contribution was created in whole or in part by me and I
-             have the right to submit it under the open source license
-             indicated in the file; or
+          (a) The contribution was created in whole or in part by me and I
+              have the right to submit it under the open source license
+              indicated in the file; or
 
-         (b) The contribution is based upon previous work that, to the best
-             of my knowledge, is covered under an appropriate open source
-             license and I have the right under that license to submit that
-             work with modifications, whether created in whole or in part
-             by me, under the same open source license (unless I am
-             permitted to submit under a different license), as indicated
-             in the file; or
+          (b) The contribution is based upon previous work that, to the best
+              of my knowledge, is covered under an appropriate open source
+              license and I have the right under that license to submit that
+              work with modifications, whether created in whole or in part
+              by me, under the same open source license (unless I am
+              permitted to submit under a different license), as indicated
+              in the file; or
 
-         (c) The contribution was provided directly to me by some other
-             person who certified (a), (b) or (c) and I have not modified
-             it.
+          (c) The contribution was provided directly to me by some other
+              person who certified (a), (b) or (c) and I have not modified
+              it.
 
-         (d) I understand and agree that this project and the contribution
-             are public and that a record of the contribution (including all
-             personal information I submit with it, including my sign-off) is
-             maintained indefinitely and may be redistributed consistent with
-             this project or the open source license(s) involved.
+          (d) I understand and agree that this project and the contribution
+              are public and that a record of the contribution (including all
+              personal information I submit with it, including my sign-off) is
+              maintained indefinitely and may be redistributed consistent with
+              this project or the open source license(s) involved.
 
-   -  Provide a single-line summary of the change and, if more
-      explanation is needed, provide more detail in the body of the
-      commit. This summary is typically viewable in the "shortlist" of
-      changes. Thus, providing something short and descriptive that
-      gives the reader a summary of the change is useful when viewing a
-      list of many commits. You should prefix this short description
-      with the recipe name (if changing a recipe), or else with the
-      short form path to the file being changed.
+   #.  Provide a single-line summary of the change and, if more
+       explanation is needed, provide more detail in the description of the
+       commit. This summary is typically viewable in the "shortlist" of
+       changes. Thus, providing something short and descriptive that
+       gives the reader a summary of the change is useful when viewing a
+       list of many commits. You should prefix this short description
+       with the recipe name (if changing a recipe), or else with the
+       short form path to the file being changed.
+
+       .. note::
+
+          To find a suitable prefix for the commit summary, a good idea
+          is to look for prefixes used in previous commits touching the
+          same files or directories::
+
+             git log --oneline <paths>
+
+   #.  For the commit description, provide detailed information
+       that describes what you changed, why you made the change, and the
+       approach you used. It might also be helpful if you mention how you
+       tested the change. Provide as much detail as you can in the commit
+       description.
+
+       .. note::
+
+          If the single line summary is enough to describe a simple
+          change, the commit description can be left empty.
+
+   #.  If the change addresses a specific bug or issue that is associated
+       with a bug-tracking ID, include a reference to that ID in the body of the
+       commit message. For example, the Yocto Project uses a
+       specific convention for bug references --- any commit that addresses
+       a specific bug should use the following form for the body of the commit
+       message. Be sure to use the actual bug-tracking ID from
+       Bugzilla for bug-id::
+
+          single-line summary of change
+
+          Fixes [YOCTO #bug-id]
+
+          detailed description of change
+
+   #. If other people participated in this patch, add some tags to the commit
+      description to credit other contributors to the change:
+
+      -  ``Reported-by``: name and email of a person reporting a bug
+         that your commit is trying to fix. This is a good practice
+         to encourage people to go on reporting bugs and let them
+         know that their reports are taken into account.
+
+      -  ``Suggested-by``: name and email of a person to credit for the
+         idea of making the change.
+
+      -  ``Tested-by``, ``Reviewed-by``: name and email for people having
+         tested your changes or reviewed their code. These fields are
+         usually added by the maintainer accepting a patch, or by
+         yourself if you submitted your patches to early reviewers,
+         or are submitting an unmodified patch again as part of a
+         new iteration of your patch series.
+
+      -  ``Cc``: name and email of people you want to send a copy
+         of your changes to. This field will be used by ``git send-email``.
+
+      See `more guidance about using such tags
+      <https://www.kernel.org/doc/html/latest/process/submitting-patches.html#using-reported-by-tested-by-reviewed-by-suggested-by-and-fixes>`__
+      in the Linux kernel documentation.
 
       .. note::
 
-         To find a suitable prefix for the commit summary, a good idea
-         is to look for prefixes used in previous commits touching the
-         same files or directories::
-
-            git log --oneline <paths>
-
-   -  For the body of the commit message, provide detailed information
-      that describes what you changed, why you made the change, and the
-      approach you used. It might also be helpful if you mention how you
-      tested the change. Provide as much detail as you can in the body
-      of the commit message.
-
-      .. note::
-
-         If the single line summary is enough to describe a simple
-         change, the body of the commit message can be left empty.
-
-   -  If the change addresses a specific bug or issue that is associated
-      with a bug-tracking ID, include a reference to that ID in your
-      detailed description. For example, the Yocto Project uses a
-      specific convention for bug references --- any commit that addresses
-      a specific bug should use the following form for the detailed
-      description. Be sure to use the actual bug-tracking ID from
-      Bugzilla for bug-id::
-
-         Fixes [YOCTO #bug-id]
-
-         detailed description of change
-
-#. *Crediting contributors:* By using the ``git commit --amend`` command,
-   you can add some tags to the commit description to credit other contributors
-   to the change:
-
-   -  ``Reported-by``: name and email of a person reporting a bug
-      that your commit is trying to fix. This is a good practice
-      to encourage people to go on reporting bugs and let them
-      know that their reports are taken into account.
-
-   -  ``Suggested-by``: name and email of a person to credit for the
-      idea of making the change.
-
-   -  ``Tested-by``, ``Reviewed-by``: name and email for people having
-      tested your changes or reviewed their code. These fields are
-      usually added by the maintainer accepting a patch, or by
-      yourself if you submitted your patches to early reviewers,
-      or are submitting an unmodified patch again as part of a
-      new iteration of your patch series.
-
-   -  ``CC:`` Name and email of people you want to send a copy
-      of your changes to. This field will be used by ``git send-email``.
-
-   See `more guidance about using such tags
-   <https://www.kernel.org/doc/html/latest/process/submitting-patches.html#using-reported-by-tested-by-reviewed-by-suggested-by-and-fixes>`__
-   in the Linux kernel documentation.
+         One can amend an existing git commit message to add missing tags for
+         contributors with the ``git commit --amend`` command.
 
 Test your changes
 -----------------
@@ -650,8 +656,8 @@ backported to a stable branch unless the bug in question does not affect the
 master branch or the fix on the master branch is unsuitable for backporting.
 
 The list of stable branches along with the status and maintainer for each
-branch can be obtained from the
-:yocto_wiki:`Releases wiki page </Releases>`.
+branch can be obtained from the :yocto_home:`Releases </development/releases/>`
+page.
 
 .. note::
 
@@ -735,6 +741,38 @@ argument to ``git format-patch`` with a version number::
 
    git format-patch -v2 <ref-branch>
 
+
+After generating updated patches (v2, v3, and so on) via ``git
+format-patch``, ideally developers will add a patch version changelog
+to each patch that describes what has changed between each revision of
+the patch. Add patch version changelogs after the ``---`` marker in the
+patch, indicating that this information is part of this patch, but is not
+suitable for inclusion in the commit message (i.e. the git history) itself.
+Providing a patch version changelog makes it easier for maintainers and
+reviewers to succinctly understand what changed in all versions of the
+patch, without having to consult alternate sources of information, such as
+searching through messages on a mailing list. For example::
+
+   <patch title>
+
+   <commit message>
+
+   <Signed-off-by/other trailers>
+   ---
+   changes in v4:
+   - provide a clearer commit message
+   - fix spelling mistakes
+
+   changes in v3:
+   - replace func() to use other_func() instead
+
+   changes in v2:
+   - this patch was added in v2
+   ---
+   <diffstat output>
+
+   <unified diff>
+
 Lastly please ensure that you also test your revised changes. In particular
 please don't just edit the patch file written out by ``git format-patch`` and
 resend it.

documentation/dev-manual/building.rst

@@ -909,6 +909,11 @@ to point to that directory::
 
    EXTERNALSRC_BUILD:pn-myrecipe = "path-to-your-source-tree"
 
+.. note::
+
+   The values of :term:`EXTERNALSRC` and :term:`EXTERNALSRC_BUILD`
+   must be absolute paths.
+
 Replicating a Build Offline
 ===========================
 

documentation/dev-manual/debugging.rst

@@ -36,7 +36,7 @@ section:
    use the BitBake ``-e`` option to examine variable values after a
    recipe has been parsed.
 
--  ":ref:`dev-manual/debugging:viewing package information with \`\`oe-pkgdata-util\`\``"
+-  ":ref:`dev-manual/debugging:viewing package information with ``oe-pkgdata-util```"
    describes how to use the ``oe-pkgdata-util`` utility to query
    :term:`PKGDATA_DIR` and
    display package-related information for built packages.
@@ -111,17 +111,17 @@ occurred in your project. Perhaps an attempt to :ref:`modify a variable
 <bitbake-user-manual/bitbake-user-manual-metadata:modifying existing
 variables>` did not work out as expected.
 
-BitBake's ``-e`` option is used to display variable values after
-parsing. The following command displays the variable values after the
-configuration files (i.e. ``local.conf``, ``bblayers.conf``,
+BitBake's ``bitbake-getvar`` command is used to display variable values after
+parsing. The following command displays the variable value for :term:`OVERRIDES`
+after the configuration files (i.e. ``local.conf``, ``bblayers.conf``,
 ``bitbake.conf`` and so forth) have been parsed::
 
-   $ bitbake -e
+   $ bitbake-getvar OVERRIDES
 
-The following command displays variable values after a specific recipe has
-been parsed. The variables include those from the configuration as well::
+The following command displays the value of :term:`PV` after a specific recipe
+has been parsed::
 
-   $ bitbake -e recipename
+   $ bitbake-getvar -r recipename PV
 
 .. note::
 
@@ -135,19 +135,25 @@ been parsed. The variables include those from the configuration as well::
    the recipe datastore, which means that variables set within one task
    will not be visible to other tasks.
 
-In the output of ``bitbake -e``, each variable is preceded by a
-description of how the variable got its value, including temporary
-values that were later overridden. This description also includes
-variable flags (varflags) set on the variable. The output can be very
+In the output of ``bitbake-getvar``, the line containing the value of the
+variable is preceded by a description of how the variable got its value,
+including temporary values that were later overridden. This description also
+includes variable flags (varflags) set on the variable. The output can be very
 helpful during debugging.
 
 Variables that are exported to the environment are preceded by
-``export`` in the output of ``bitbake -e``. See the following example::
+``export`` in the output of ``bitbake-getvar``. See the following example::
 
    export CC="i586-poky-linux-gcc -m32 -march=i586 --sysroot=/home/ulf/poky/build/tmp/sysroots/qemux86"
 
-In addition to variable values, the output of the ``bitbake -e`` and
-``bitbake -e`` recipe commands includes the following information:
+Shell functions and tasks can also be inspected with the same mechanism::
+
+   $ bitbake-getvar -r recipename do_install
+
+For Python functions and tasks, ``bitbake -e recipename`` can be used instead.
+
+Moreover, the output of the ``bitbake -e`` and ``bitbake -e`` recipe commands
+includes the following information:
 
 -  The output starts with a tree listing all configuration files and
    classes included globally, recursively listing the files they include

documentation/dev-manual/index.rst

@@ -41,7 +41,6 @@ Yocto Project Development Tasks Manual
    build-quality
    debugging
    licenses
-   security-subjects
    vulnerabilities
    sbom
    error-reporting-tool

documentation/dev-manual/layers.rst

@@ -123,10 +123,9 @@ Follow these general steps to create your layer without using tools:
       Lists all layers on which this layer depends (if any).
 
    -  :term:`LAYERSERIES_COMPAT`:
-      Lists the :yocto_wiki:`Yocto Project </Releases>`
-      releases for which the current version is compatible. This
-      variable is a good way to indicate if your particular layer is
-      current.
+      Lists the :yocto_home:`Yocto Project releases </development/releases/>`
+      for which the current version is compatible. This variable is a good
+      way to indicate if your particular layer is current.
 
 
    .. note::
@@ -822,6 +821,8 @@ The following list describes the available commands:
 
 -  ``create-layer``: Creates a basic layer.
 
+-  ``show-machines``: Lists the machines available in the currently configured layers.
+
 Creating a General Layer Using the ``bitbake-layers`` Script
 ============================================================
 

documentation/dev-manual/new-recipe.rst

@@ -56,7 +56,7 @@ necessary when adding a recipe to build a new piece of software to be
 included in a build.
 
 You can find a complete description of the ``devtool add`` command in
-the ":ref:`sdk-manual/extensible:a closer look at \`\`devtool add\`\``" section
+the ":ref:`sdk-manual/extensible:a closer look at ``devtool add```" section
 in the Yocto Project Application Development and the Extensible Software
 Development Kit (eSDK) manual.
 
@@ -83,19 +83,20 @@ command::
    OpenEmbedded recipe tool
 
    options:
-     -d, --debug     Enable debug output
-     -q, --quiet     Print only errors
-     --color COLOR   Colorize output (where COLOR is auto, always, never)
-     -h, --help      show this help message and exit
+     -d, --debug       Enable debug output
+     -q, --quiet       Print only errors
+     --color COLOR     Colorize output (where COLOR is auto, always, never)
+     -h, --help        show this help message and exit
 
    subcommands:
-     create          Create a new recipe
-     newappend       Create a bbappend for the specified target in the specified
-                       layer
-     setvar          Set a variable within a recipe
-     appendfile      Create/update a bbappend to replace a target file
-     appendsrcfiles  Create/update a bbappend to add or replace source files
-     appendsrcfile   Create/update a bbappend to add or replace a source file
+     newappend         Create a bbappend for the specified target in the specified layer
+     create            Create a new recipe
+     setvar            Set a variable within a recipe
+     appendfile        Create/update a bbappend to replace a target file
+     appendsrcfiles    Create/update a bbappend to add or replace source files
+     appendsrcfile     Create/update a bbappend to add or replace a source file
+     edit              Edit the recipe and appends for the specified target. This obeys $VISUAL if set,
+                       otherwise $EDITOR, otherwise vi.
    Use recipetool <subcommand> --help to get help on a specific command
 
 Running ``recipetool create -o OUTFILE`` creates the base recipe and
@@ -218,9 +219,9 @@ compilation and packaging files, and so forth.
 
 The path to the per-recipe temporary work directory depends on the
 context in which it is being built. The quickest way to find this path
-is to have BitBake return it by running the following::
+is to use the ``bitbake-getvar`` utility::
 
-   $ bitbake -e basename | grep ^WORKDIR=
+   $ bitbake-getvar -r basename WORKDIR
 
 As an example, assume a Source Directory
 top-level folder named ``poky``, a default :term:`Build Directory` at
@@ -438,7 +439,7 @@ Licensing
 =========
 
 Your recipe needs to define variables related to the license
-under whith the software is distributed. See the
+under which the software is distributed. See the
 :ref:`contributor-guide/recipe-style-guide:recipe license fields`
 section in the Contributor Guide for details.
 

documentation/dev-manual/packages.rst

@@ -279,8 +279,23 @@ with a number. The number used depends on the state of the PR Service:
 
    .. code-block:: none
 
-      hello-world-git_0.0+git0+b6558dd387-r0.0_armv7a-neon.ipk
-      hello-world-git_0.0+git1+dd2f5c3565-r0.0_armv7a-neon.ipk
+      hello-world-git_1.0+git0+b6558dd387-r0.0_armv7a-neon.ipk
+      hello-world-git_1.0+git1+dd2f5c3565-r0.1_armv7a-neon.ipk
+
+   Two numbers got incremented here:
+
+   -  ``gitX`` changed from ``git0`` to ``git1``. This is because there was a
+      change in the source code (``SRCREV``).
+
+   -  ``r0.X`` changed from ``r0.0`` to ``r0.1``. This is because the hash of
+      the :ref:`ref-tasks-package` task changed.
+
+      The reason for this change can be many. To understand why the hash of the
+      :ref:`ref-tasks-package` task changed, you can run the following command:
+
+      .. code-block:: console
+
+         $ bitbake-diffsigs -t hello-world package
 
 -  If PR Service is not enabled, the build system replaces the
    ``AUTOINC`` placeholder with zero (i.e. "0"). This results in
@@ -290,8 +305,8 @@ with a number. The number used depends on the state of the PR Service:
 
    .. code-block:: none
 
-      hello-world-git_0.0+git0+b6558dd387-r0.0_armv7a-neon.ipk
-      hello-world-git_0.0+git0+dd2f5c3565-r0.0_armv7a-neon.ipk
+      hello-world-git_1.0+git0+b6558dd387-r0_armv7a-neon.ipk
+      hello-world-git_1.0+git0+dd2f5c3565-r0_armv7a-neon.ipk
 
 In summary, the OpenEmbedded build system does not track the history of
 binary package versions for this purpose. ``AUTOINC``, in this case, is

documentation/dev-manual/sbom.rst

@@ -30,16 +30,9 @@ To make this happen, you must inherit the
 
    INHERIT += "create-spdx"
 
-Upon building an image, you will then get:
-
--  :term:`SPDX` output in JSON format as an ``IMAGE-MACHINE.spdx.json`` file in
-   ``tmp/deploy/images/MACHINE/`` inside the :term:`Build Directory`.
-
--  This toplevel file is accompanied by an ``IMAGE-MACHINE.spdx.index.json``
-   containing an index of JSON :term:`SPDX` files for individual recipes.
-
--  The compressed archive ``IMAGE-MACHINE.spdx.tar.zst`` contains the index
-   and the files for the single recipes.
+Upon building an image, you will then get the compressed archive
+``IMAGE-MACHINE.spdx.tar.zst`` contains the index and the files for the single
+recipes.
 
 The :ref:`ref-classes-create-spdx` class offers options to include
 more information in the output :term:`SPDX` data:
@@ -56,7 +49,7 @@ more information in the output :term:`SPDX` data:
 
 Though the toplevel :term:`SPDX` output is available in
 ``tmp/deploy/images/MACHINE/`` inside the :term:`Build Directory`, ancillary
-generated files are available in ``tmp/deploy/spdx/MACHINE`` too, such as:
+generated files are available in ``tmp/deploy/spdx`` too, such as:
 
 -  The individual :term:`SPDX` JSON files in the ``IMAGE-MACHINE.spdx.tar.zst``
    archive.

documentation/dev-manual/security-subjects.rst

@@ -1,189 +0,0 @@
-.. SPDX-License-Identifier: CC-BY-SA-2.0-UK
-
-Dealing with Vulnerability Reports
-**********************************
-
-The Yocto Project and OpenEmbedded are open-source, community-based projects
-used in numerous products. They assemble multiple other open-source projects,
-and need to handle security issues and practices both internal (in the code
-maintained by both projects), and external (maintained by other projects and
-organizations).
-
-This manual assembles security-related information concerning the whole
-ecosystem. It includes information on reporting a potential security issue,
-the operation of the YP Security team and how to contribute in the
-related code. It is written to be useful for both security researchers and
-YP developers.
-
-How to report a potential security vulnerability?
-=================================================
-
-If you would like to report a public issue (for example, one with a released
-CVE number), please report it using the
-:yocto_bugs:`Security Bugzilla </enter_bug.cgi?product=Security>`.
-
-If you are dealing with a not-yet-released issue, or an urgent one, please send
-a message to security AT yoctoproject DOT org, including as many details as
-possible: the layer or software module affected, the recipe and its version,
-and any example code, if available. This mailing list is monitored by the
-Yocto Project Security team.
-
-For each layer, you might also look for specific instructions (if any) for
-reporting potential security issues in the specific ``SECURITY.md`` file at the
-root of the repository. Instructions on how and where submit a patch are
-usually available in ``README.md``. If this is your first patch to the
-Yocto Project/OpenEmbedded, you might want to have a look into the
-Contributor's Manual section
-":ref:`contributor-guide/submit-changes:preparing changes for submission`".
-
-Branches maintained with security fixes
----------------------------------------
-
-See the
-:ref:`Release process <ref-manual/release-process:Stable Release Process>`
-documentation for details regarding the policies and maintenance of stable
-branches.
-
-The :yocto_wiki:`Releases page </Releases>` contains a list
-of all releases of the Yocto Project. Versions in gray are no longer actively
-maintained with security patches, but well-tested patches may still be accepted
-for them for significant issues.
-
-Security-related discussions at the Yocto Project
--------------------------------------------------
-
-We have set up two security-related mailing lists:
-
-  -  Public List: yocto [dash] security [at] yoctoproject[dot] org
-
-    This is a public mailing list for anyone to subscribe to. This list is an
-    open list to discuss public security issues/patches and security-related
-    initiatives. For more information, including subscription information,
-    please see the  :yocto_lists:`yocto-security mailing list info page </g/yocto-security>`.
-
-  - Private List: security [at] yoctoproject [dot] org
-
-    This is a private mailing list for reporting non-published potential
-    vulnerabilities. The list is monitored by the Yocto Project Security team.
-
-
-What you should do if you find a security vulnerability
--------------------------------------------------------
-
-If you find a security flaw: a crash, an information leakage, or anything that
-can have a security impact if exploited in any Open Source software built or
-used by the Yocto Project, please report this to the Yocto Project Security
-Team. If you prefer to contact the upstream project directly, please send a
-copy to the security team at the Yocto Project as well. If you believe this is
-highly sensitive information, please report the vulnerability in a secure way,
-i.e. encrypt the email and send it to the private list. This ensures that
-the exploit is not leaked and exploited before a response/fix has been generated.
-
-Security team
-=============
-
-The Yocto Project/OpenEmbedded security team coordinates the work on security
-subjects in the project. All general discussion takes place publicly. The
-Security Team only uses confidential communication tools to deal with private
-vulnerability reports before they are released.
-
-Security team appointment
--------------------------
-
-The Yocto Project Security Team consists of at least three members. When new
-members are needed, the Yocto Project Technical Steering Committee (YP TSC)
-asks for nominations by public channels including a nomination deadline.
-Self-nominations are possible. When the limit time is
-reached, the YP TSC posts the list of candidates for the comments of project
-participants and developers. Comments may be sent publicly or privately to the
-YP and OE TSCs. The candidates are approved by both YP TSC and OpenEmbedded
-Technical Steering Committee (OE TSC) and the final list of the team members
-is announced publicly. The aim is to have people representing technical
-leadership, security knowledge and infrastructure present with enough people
-to provide backup/coverage but keep the notification list small enough to
-minimize information risk and maintain trust.
-
-YP Security Team members may resign at any time.
-
-Security Team Operations
-------------------------
-
-The work of the Security Team might require high confidentiality. Team members
-are individuals selected by merit and do not represent the companies they work
-for. They do not share information about confidential issues outside of the team
-and do not hint about ongoing embargoes.
-
-Team members can bring in domain experts as needed. Those people should be
-added to individual issues only and adhere to the same standards as the YP
-Security Team.
-
-The YP security team organizes its meetings and communication as needed.
-
-When the YP Security team receives a report about a potential security
-vulnerability, they quickly analyze and notify the reporter of the result.
-They might also request more information.
-
-If the issue is confirmed and affects the code maintained by the YP, they
-confidentially notify maintainers of that code and work with them to prepare
-a fix.
-
-If the issue is confirmed and affects an upstream project, the YP security team
-notifies the project. Usually, the upstream project analyzes the problem again.
-If they deem it a real security problem in their software, they develop and
-release a fix following their security policy. They may want to include the
-original reporter in the loop. There is also sometimes some coordination for
-handling patches, backporting patches etc, or just understanding the problem
-or what caused it.
-
-When the fix is publicly available, the YP security team member or the
-package maintainer sends patches against the YP code base, following usual
-procedures, including public code review.
-
-What Yocto Security Team does when it receives a security vulnerability
------------------------------------------------------------------------
-
-The YP Security Team team performs a quick analysis and would usually report
-the flaw to the upstream project. Normally the upstream project analyzes the
-problem. If they deem it a real security problem in their software, they
-develop and release a fix following their own security policy. They may want
-to include the original reporter in the loop. There is also sometimes some
-coordination for handling patches, backporting patches etc, or just
-understanding the problem or what caused it.
-
-The security policy of the upstream project might include a notification to
-Linux distributions or other important downstream projects in advance to
-discuss coordinated disclosure. These mailing lists are normally non-public.
-
-When the upstream project releases a version with the fix, they are responsible
-for contacting `Mitre <https://www.cve.org/>`__ to get a CVE number assigned and
-the CVE record published.
-
-If an upstream project does not respond quickly
------------------------------------------------
-
-If an upstream project does not fix the problem in a reasonable time,
-the Yocto's Security Team will contact other interested parties (usually
-other distributions) in the community and together try to solve the
-vulnerability as quickly as possible.
-
-The Yocto Project Security team adheres to the 90 days disclosure policy
-by default. An increase of the embargo time is possible when necessary.
-
-Current Security Team members
------------------------------
-
-For secure communications, please send your messages encrypted using the GPG
-keys. Remember, message headers are not encrypted so do not include sensitive
-information in the subject line.
-
-  -  Ross Burton: <ross@burtonini.com> `Public key <https://keys.openpgp.org/search?q=ross%40burtonini.com>`__
-
-  -  Michael Halstead: <mhalstead [at] linuxfoundation [dot] org>
-     `Public key <https://pgp.mit.edu/pks/lookup?op=vindex&search=0x3373170601861969>`__
-     or `Public key <https://keyserver.ubuntu.com/pks/lookup?op=get&search=0xd1f2407285e571ed12a407a73373170601861969>`__
-
-  -  Richard Purdie: <richard.purdie@linuxfoundation.org> `Public key <https://keys.openpgp.org/search?q=richard.purdie%40linuxfoundation.org>`__
-
-  -  Marta Rybczynska: <marta DOT rybczynska [at] syslinbit [dot] com> `Public key <https://keys.openpgp.org/search?q=marta.rybczynska@syslinbit.com>`__
-
-  -  Steve Sakoman: <steve [at] sakoman [dot] com> `Public key <https://keys.openpgp.org/search?q=steve%40sakoman.com>`__

documentation/dev-manual/start.rst

@@ -543,6 +543,7 @@ your Yocto Project build host:
          DISKPART> select vdisk file="<path_to_VHDX_file>"
          DISKPART> attach vdisk readonly
          DISKPART> compact vdisk
+         DISKPART> detach
          DISKPART> exit
 
 .. note::
@@ -675,7 +676,7 @@ described in the ":ref:`dev-manual/start:accessing index of releases`" section.
    .. note::
 
       For a "map" of Yocto Project releases to version numbers, see the
-      :yocto_wiki:`Releases </Releases>` wiki page.
+      :yocto_home:`Releases </development/releases/>` page.
 
    You can use the "RELEASE ARCHIVE" link to reveal a menu of all Yocto
    Project releases.

documentation/dev-manual/upgrading-recipes.rst

@@ -333,7 +333,7 @@ Manually Upgrading a Recipe
 
 If for some reason you choose not to upgrade recipes using
 :ref:`dev-manual/upgrading-recipes:Using the Auto Upgrade Helper (AUH)` or
-by :ref:`dev-manual/upgrading-recipes:Using \`\`devtool upgrade\`\``,
+by :ref:`dev-manual/upgrading-recipes:Using ``devtool upgrade```,
 you can manually edit the recipe files to upgrade the versions.
 
 .. note::

documentation/dev-manual/vulnerabilities.rst

@@ -12,7 +12,7 @@ known security vulnerabilities, as tracked by the public
 database.
 
 The Yocto Project maintains a `list of known vulnerabilities
-<https://autobuilder.yocto.io/pub/non-release/patchmetrics/>`__
+<https://valkyrie.yocto.io/pub/non-release/patchmetrics/>`__
 for packages in Poky and OE-Core, tracking the evolution of the number of
 unpatched CVEs and the status of patches. Such information is available for
 the current development version and for each supported release.
@@ -235,7 +235,7 @@ products defined in :term:`CVE_PRODUCT`. Then, for each found CVE:
 The CVE database is stored in :term:`DL_DIR` and can be inspected using
 ``sqlite3`` command as follows::
 
-   sqlite3 downloads/CVE_CHECK/nvdcve_1.1.db .dump | grep CVE-2021-37462
+   sqlite3 downloads/CVE_CHECK/nvd*.db .dump | grep CVE-2021-37462
 
 When analyzing CVEs, it is recommended to:
 

documentation/dev-manual/wic.rst

@@ -514,7 +514,7 @@ or ::
 
    For more information on how to use the ``bmaptool``
    to flash a device with an image, see the
-   ":ref:`dev-manual/bmaptool:flashing images using \`\`bmaptool\`\``"
+   ":ref:`dev-manual/bmaptool:flashing images using ``bmaptool```"
    section.
 
 Using a Modified Kickstart File

documentation/index.rst

@@ -20,7 +20,6 @@ Welcome to the Yocto Project Documentation
    Yocto Project Software Overview <https://www.yoctoproject.org/software-overview/>
    Tips and Tricks Wiki <https://wiki.yoctoproject.org/wiki/TipsAndTricks>
 
-
 .. toctree::
    :maxdepth: 1
    :caption: Manuals
@@ -37,6 +36,12 @@ Welcome to the Yocto Project Documentation
    Test Environment Manual <test-manual/index>
    bitbake
 
+.. toctree::
+   :maxdepth: 1
+   :caption: Security
+
+   Yocto Project Security Reference <security-reference/index>
+
 .. toctree::
    :maxdepth: 1
    :caption: Release Manuals

documentation/kernel-dev/common.rst

@@ -724,13 +724,9 @@ a Raspberry Pi 2, which is based on the Broadcom 2708/2709 chipset::
 
    KBUILD_DEFCONFIG:raspberrypi2 ?= "bcm2709_defconfig"
 
-Aside from modifying your kernel recipe and providing your own
-``defconfig`` file, you need to be sure no files or statements set
-:term:`SRC_URI` to use a ``defconfig`` other than your "in-tree" file (e.g.
-a kernel's ``linux-``\ `machine`\ ``.inc`` file). In other words, if the
-build system detects a statement that identifies an "out-of-tree"
-``defconfig`` file, that statement will override your
-:term:`KBUILD_DEFCONFIG` variable.
+If the build system detects a statement that identifies an "out-of-tree"
+``defconfig`` file, your :term:`KBUILD_DEFCONFIG` variable will take precedence
+over it.
 
 See the
 :term:`KBUILD_DEFCONFIG`
@@ -746,7 +742,7 @@ the extensible SDK and ``devtool``.
 
    Before attempting this procedure, be sure you have performed the
    steps to get ready for updating the kernel as described in the
-   ":ref:`kernel-dev/common:getting ready to develop using \`\`devtool\`\``"
+   ":ref:`kernel-dev/common:getting ready to develop using ``devtool```"
    section.
 
 Patching the kernel involves changing or adding configurations to an
@@ -759,7 +755,7 @@ output at boot time through ``printk`` statements in the kernel's
 ``calibrate.c`` source code file. Applying the patch and booting the
 modified image causes the added messages to appear on the emulator's
 console. The example is a continuation of the setup procedure found in
-the ":ref:`kernel-dev/common:getting ready to develop using \`\`devtool\`\``" Section.
+the ":ref:`kernel-dev/common:getting ready to develop using ``devtool```" Section.
 
 1. *Check Out the Kernel Source Files:* First you must use ``devtool``
    to checkout the kernel source code in its workspace. Be sure you are
@@ -768,7 +764,7 @@ the ":ref:`kernel-dev/common:getting ready to develop using \`\`devtool\`\``" Se
    .. note::
 
       See this step in the
-      ":ref:`kernel-dev/common:getting ready to develop using \`\`devtool\`\``"
+      ":ref:`kernel-dev/common:getting ready to develop using ``devtool```"
       section for more information.
 
    Use the following ``devtool`` command to check out the code::
@@ -883,7 +879,7 @@ the ":ref:`kernel-dev/common:getting ready to develop using \`\`devtool\`\``" Se
    .. note::
 
       See Step 3 of the
-      ":ref:`kernel-dev/common:getting ready to develop using \`\`devtool\`\``"
+      ":ref:`kernel-dev/common:getting ready to develop using ``devtool```"
       section for information on setting up this layer.
 
    Once the command
@@ -1271,15 +1267,17 @@ appear in the ``.config`` file, which is in the :term:`Build Directory`.
 
    For more information about where the ``.config`` file is located, see the
    example in the
-   ":ref:`kernel-dev/common:using \`\`menuconfig\`\``"
+   ":ref:`kernel-dev/common:using ``menuconfig```"
    section.
 
 It is simple to create a configuration fragment. One method is to use
 shell commands. For example, issuing the following from the shell
-creates a configuration fragment file named ``my_smp.cfg`` that enables
-multi-processor support within the kernel::
+creates a configuration fragment file named ``my_changes.cfg`` that enables
+multi-processor support within the kernel and disables the FPGA
+Configuration Framework::
 
-   $ echo "CONFIG_SMP=y" >> my_smp.cfg
+   $ echo "CONFIG_SMP=y" >> my_changes.cfg
+   $ echo "# CONFIG_FPGA is not set" >> my_changes.cfg
 
 .. note::
 
@@ -1367,7 +1365,7 @@ when you override a policy configuration in a hardware configuration
 fragment.
 
 In order to run this task, you must have an existing ``.config`` file.
-See the ":ref:`kernel-dev/common:using \`\`menuconfig\`\``" section for
+See the ":ref:`kernel-dev/common:using ``menuconfig```" section for
 information on how to create a configuration file.
 
 Here is sample output from the ``do_kernel_configcheck`` task:
@@ -1440,7 +1438,7 @@ and
 tasks until they produce no warnings.
 
 For more information on how to use the ``menuconfig`` tool, see the
-:ref:`kernel-dev/common:using \`\`menuconfig\`\`` section.
+:ref:`kernel-dev/common:using ``menuconfig``` section.
 
 Fine-Tuning the Kernel Configuration File
 -----------------------------------------
@@ -1516,15 +1514,13 @@ Expanding Variables
 ===================
 
 Sometimes it is helpful to determine what a variable expands to during a
-build. You can examine the values of variables by examining the
-output of the ``bitbake -e`` command. The output is long and is more
-easily managed in a text file, which allows for easy searches::
+build. You can examine the value of a variable by running the ``bitbake-getvar``
+command::
 
-   $ bitbake -e virtual/kernel > some_text_file
+   $ bitbake-getvar -r virtual/kernel VARIABLE
 
-Within the text file, you can see
-exactly how each variable is expanded and used by the OpenEmbedded build
-system.
+The output of the command explains exactly how the variable is expanded and used
+by the :term:`OpenEmbedded Build System`.
 
 Working with a "Dirty" Kernel Version String
 ============================================

documentation/kernel-dev/intro.rst

@@ -122,7 +122,7 @@ general information and references for further information.
    Using ``devtool`` and the eSDK requires that you have a clean build
    of the image and that you are set up with the appropriate eSDK. For
    more information, see the
-   ":ref:`kernel-dev/common:getting ready to develop using \`\`devtool\`\``"
+   ":ref:`kernel-dev/common:getting ready to develop using ``devtool```"
    section.
 
    Using traditional kernel development requires that you have the

documentation/migration-guides/migration-4.0.rst

@@ -143,7 +143,7 @@ Python changes
   The new Python packaging classes that should be used are
   :ref:`python_flit_core <ref-classes-python_flit_core>`,
   :ref:`python_setuptools_build_meta <ref-classes-python_setuptools_build_meta>`
-  and :ref:`python_poetry_core <ref-classes-python_poetry_core>`.  
+  and :ref:`python_poetry_core <ref-classes-python_poetry_core>`.
 
 - The :ref:`setuptools3 <ref-classes-setuptools3>` class ``do_install()`` task now
   installs the ``wheel`` binary archive. In current versions of ``setuptools`` the

documentation/migration-guides/release-4.0.rst

@@ -32,3 +32,10 @@ Release 4.0 (kirkstone)
    release-notes-4.0.23
    release-notes-4.0.24
    release-notes-4.0.25
+   release-notes-4.0.26
+   release-notes-4.0.27
+   release-notes-4.0.28
+   release-notes-4.0.29
+   release-notes-4.0.30
+   release-notes-4.0.31
+   release-notes-4.0.32

documentation/migration-guides/release-notes-4.0.26.rst

@@ -0,0 +1,263 @@
+Release notes for Yocto-4.0.26 (Kirkstone)
+------------------------------------------
+
+Security Fixes in Yocto-4.0.26
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+
+-  bind: Fix :cve_nist:`2024-11187` and :cve_nist:`2024-12705`
+-  binutils: Fix :cve_nist:`2025-0840`
+-  elfutils: Fix :cve_nist:`2025-1352` and :cve_nist:`2025-1372`
+-  ffmpeg: Fix CVE-2024-28661, :cve_nist:`2024-35369`, :cve_nist:`2024-36613`, :cve_nist:`2024-36616`,
+   :cve_nist:`2024-36617`, :cve_nist:`2024-36618`, :cve_nist:`2025-0518` and :cve_nist:`2025-25473`
+-  ffmpeg: Ignore :cve_nist:`2023-46407`, :cve_nist:`2023-47470`, :cve_nist:`2024-7272`,
+   :cve_nist:`2024-22860`, :cve_nist:`2024-22861` and :cve_nist:`2024-22862`
+-  freetype: Fix :cve_nist:`2025-27363`
+-  gnutls: Fix :cve_nist:`2024-12243`
+-  grub: Fix :cve_nist:`2024-45774`, :cve_nist:`2024-45775`, :cve_nist:`2024-45776`,
+   :cve_nist:`2024-45777`, :cve_nist:`2024-45778`, :cve_nist:`2024-45779`, :cve_nist:`2024-45780`,
+   :cve_nist:`2024-45781`, :cve_nist:`2024-45782`, :cve_nist:`2024-45783`, :cve_nist:`2024-56737`,
+   :cve_nist:`2025-0622`, :cve_nist:`2025-0624`, :cve_nist:`2025-0677`, :cve_nist:`2025-0684`,
+   :cve_nist:`2025-0685`, :cve_nist:`2025-0686`, :cve_nist:`2025-0689`, :cve_nist:`2025-0678`,
+   :cve_nist:`2025-0690`, :cve_nist:`2025-1118` and :cve_nist:`2025-1125`
+-  gstreamer1.0-rtsp-server: fix :cve_nist:`2024-44331`
+-  libarchive: Fix :cve_nist:`2025-25724`
+-  libarchive: Ignore :cve_nist:`2025-1632`
+-  libcap: Fix :cve_nist:`2025-1390`
+-  linux-yocto/5.10: Fix :cve_nist:`2024-36476`, :cve_nist:`2024-43098`, :cve_nist:`2024-47143`,
+   :cve_nist:`2024-48881`, :cve_nist:`2024-50051`, :cve_nist:`2024-50074`, :cve_nist:`2024-50082`,
+   :cve_nist:`2024-50083`, :cve_nist:`2024-50099`, :cve_nist:`2024-50115`, :cve_nist:`2024-50116`,
+   :cve_nist:`2024-50117`, :cve_nist:`2024-50142`, :cve_nist:`2024-50148`, :cve_nist:`2024-50150`,
+   :cve_nist:`2024-50151`, :cve_nist:`2024-50167`, :cve_nist:`2024-50168`, :cve_nist:`2024-50171`,
+   :cve_nist:`2024-50185`, :cve_nist:`2024-50192`, :cve_nist:`2024-50193`, :cve_nist:`2024-50194`,
+   :cve_nist:`2024-50195`, :cve_nist:`2024-50198`, :cve_nist:`2024-50201`, :cve_nist:`2024-50202`,
+   :cve_nist:`2024-50205`, :cve_nist:`2024-50208`, :cve_nist:`2024-50209`, :cve_nist:`2024-50229`,
+   :cve_nist:`2024-50230`, :cve_nist:`2024-50233`, :cve_nist:`2024-50234`, :cve_nist:`2024-50236`,
+   :cve_nist:`2024-50237`, :cve_nist:`2024-50251`, :cve_nist:`2024-50262`, :cve_nist:`2024-50264`,
+   :cve_nist:`2024-50265`, :cve_nist:`2024-50267`, :cve_nist:`2024-50268`, :cve_nist:`2024-50269`,
+   :cve_nist:`2024-50273`, :cve_nist:`2024-50278`, :cve_nist:`2024-50279`, :cve_nist:`2024-50282`,
+   :cve_nist:`2024-50287`, :cve_nist:`2024-50292`, :cve_nist:`2024-50296`, :cve_nist:`2024-50299`,
+   :cve_nist:`2024-50301`, :cve_nist:`2024-50302`, :cve_nist:`2024-53042`, :cve_nist:`2024-53052`,
+   :cve_nist:`2024-53057`, :cve_nist:`2024-53059`, :cve_nist:`2024-53060`, :cve_nist:`2024-53061`,
+   :cve_nist:`2024-53063`, :cve_nist:`2024-53066`, :cve_nist:`2024-53096`, :cve_nist:`2024-53097`,
+   :cve_nist:`2024-53101`, :cve_nist:`2024-53103`, :cve_nist:`2024-53104`, :cve_nist:`2024-53145`,
+   :cve_nist:`2024-53146`, :cve_nist:`2024-53150`, :cve_nist:`2024-53155`, :cve_nist:`2024-53156`,
+   :cve_nist:`2024-53157`, :cve_nist:`2024-53161`, :cve_nist:`2024-53165`, :cve_nist:`2024-53171`,
+   :cve_nist:`2024-53173`, :cve_nist:`2024-53174`, :cve_nist:`2024-53194`, :cve_nist:`2024-53197`,
+   :cve_nist:`2024-53217`, :cve_nist:`2024-53226`, :cve_nist:`2024-53227`, :cve_nist:`2024-53237`,
+   :cve_nist:`2024-53239`, :cve_nist:`2024-55916`, :cve_nist:`2024-56548`, :cve_nist:`2024-56558`,
+   :cve_nist:`2024-56567`, :cve_nist:`2024-56568`, :cve_nist:`2024-56569`, :cve_nist:`2024-56572`,
+   :cve_nist:`2024-56574`, :cve_nist:`2024-56581`, :cve_nist:`2024-56587`, :cve_nist:`2024-56593`,
+   :cve_nist:`2024-56595`, :cve_nist:`2024-56596`, :cve_nist:`2024-56598`, :cve_nist:`2024-56600`,
+   :cve_nist:`2024-56601`, :cve_nist:`2024-56602`, :cve_nist:`2024-56603`, :cve_nist:`2024-56605`,
+   :cve_nist:`2024-56606`, :cve_nist:`2024-56615`, :cve_nist:`2024-56619`, :cve_nist:`2024-56623`,
+   :cve_nist:`2024-56629`, :cve_nist:`2024-56634`, :cve_nist:`2024-56642`, :cve_nist:`2024-56643`,
+   :cve_nist:`2024-56648`, :cve_nist:`2024-56650`, :cve_nist:`2024-56659`, :cve_nist:`2024-56662`,
+   :cve_nist:`2024-56670`, :cve_nist:`2024-56688`, :cve_nist:`2024-56698`, :cve_nist:`2024-56704`,
+   :cve_nist:`2024-56716`, :cve_nist:`2024-56720`, :cve_nist:`2024-56723`, :cve_nist:`2024-56724`,
+   :cve_nist:`2024-56728`, :cve_nist:`2024-56739`, :cve_nist:`2024-56746`, :cve_nist:`2024-56747`,
+   :cve_nist:`2024-56748`, :cve_nist:`2024-56754`, :cve_nist:`2024-56756`, :cve_nist:`2024-56770`,
+   :cve_nist:`2024-56779`, :cve_nist:`2024-56780`, :cve_nist:`2024-56781`, :cve_nist:`2024-56785`,
+   :cve_nist:`2024-57802`, :cve_nist:`2024-57807`, :cve_nist:`2024-57850`, :cve_nist:`2024-57874`,
+   :cve_nist:`2024-57890`, :cve_nist:`2024-57896`, :cve_nist:`2024-57900`, :cve_nist:`2024-57901`,
+   :cve_nist:`2024-57902`, :cve_nist:`2024-57910`, :cve_nist:`2024-57911`, :cve_nist:`2024-57913`,
+   :cve_nist:`2024-57922`, :cve_nist:`2024-57938`, :cve_nist:`2024-57939`, :cve_nist:`2024-57946`,
+   :cve_nist:`2024-57951`, :cve_nist:`2025-21638`, :cve_nist:`2025-21687`, :cve_nist:`2025-21689`,
+   :cve_nist:`2025-21692`, :cve_nist:`2025-21694`, :cve_nist:`2025-21697` and :cve_nist:`2025-21699`
+-  linux-yocto/5.15: Fix :cve_nist:`2024-57979`, :cve_nist:`2024-58034`, :cve_nist:`2024-58052`,
+   :cve_nist:`2024-58055`, :cve_nist:`2024-58058`, :cve_nist:`2024-58063`, :cve_nist:`2024-58069`,
+   :cve_nist:`2024-58071`, :cve_nist:`2024-58076`, :cve_nist:`2024-58083`, :cve_nist:`2025-21700`,
+   :cve_nist:`2025-21703`, :cve_nist:`2025-21715`, :cve_nist:`2025-21722`, :cve_nist:`2025-21727`,
+   :cve_nist:`2025-21731`, :cve_nist:`2025-21753`, :cve_nist:`2025-21756`, :cve_nist:`2025-21760`,
+   :cve_nist:`2025-21761`, :cve_nist:`2025-21762`, :cve_nist:`2025-21763`, :cve_nist:`2025-21764`,
+   :cve_nist:`2025-21796`, :cve_nist:`2025-21811`, :cve_nist:`2025-21887`, :cve_nist:`2025-21898`,
+   :cve_nist:`2025-21904`, :cve_nist:`2025-21905`, :cve_nist:`2025-21912`, :cve_nist:`2025-21917`,
+   :cve_nist:`2025-21919`, :cve_nist:`2025-21920`, :cve_nist:`2025-21922`, :cve_nist:`2025-21934`,
+   :cve_nist:`2025-21943`, :cve_nist:`2025-21948` and :cve_nist:`2025-21951`
+-  libpcre2: Ignore :cve_nist:`2022-1586`
+-  libtasn1: Fix :cve_nist:`2024-12133`
+-  libxml2: Fix :cve_nist:`2022-49043`, :cve_nist:`2024-56171`, :cve_nist:`2025-24928` and
+   :cve_nist:`2025-27113`
+-  libxslt: Fix :cve_nist:`2024-55549` and :cve_nist:`2025-24855`
+-  llvm: Fix :cve_nist:`2024-0151`
+-  mpg123: Fix :cve_nist:`2024-10573`
+-  openssh: Fix :cve_nist:`2025-26465`
+-  ovmf: Revert Fix for CVE-2023-45236 :cve_nist:`2023-45237`
+-  perl: Ignore :cve_nist:`2023-47038`
+-  puzzles: Ignore :cve_nist:`2024-13769`, :cve_nist:`2024-13770` and :cve_nist:`2025-0837`
+-  python3: Fix :cve_nist:`2025-0938`
+-  ruby: Fix :cve_nist:`2024-41946`, :cve_nist:`2025-27219` and :cve_nist:`2025-27220`
+-  subversion: Ignore :cve_nist:`2024-45720`
+-  systemd: Fix :cve_nist:`2022-3821`, :cve_nist:`2022-4415`, :cve_nist:`2022-45873` and
+   :cve_nist:`2023-7008`
+-  tiff: mark :cve_nist:`2023-30774` as patched with existing patch
+-  u-boot: Fix :cve_nist:`2022-2347`, :cve_nist:`2022-30767`, :cve_nist:`2022-30790`,
+   :cve_nist:`2024-57254`, :cve_nist:`2024-57255`, :cve_nist:`2024-57256`, :cve_nist:`2024-57257`,
+   :cve_nist:`2024-57258` and :cve_nist:`2024-57259`
+-  vim: Fix :cve_nist:`2025-1215`, :cve_nist:`2025-22134`, :cve_nist:`2025-24014`,
+   :cve_nist:`2025-26603`, :cve_nist:`2025-27423` and :cve_nist:`2025-29768`
+-  xserver-xorg: Fix :cve_nist:`2022-49737`, :cve_nist:`2025-26594`, :cve_nist:`2025-26595`,
+   :cve_nist:`2025-26596`, :cve_nist:`2025-26597`, :cve_nist:`2025-26598`, :cve_nist:`2025-26599`,
+   :cve_nist:`2025-26600` and :cve_nist:`2025-26601`
+-  xwayland: Fix :cve_nist:`2022-49737`, :cve_nist:`2024-9632`, :cve_nist:`2024-21885`,
+   :cve_nist:`2024-21886`, :cve_nist:`2024-31080`, :cve_nist:`2024-31081`, :cve_nist:`2024-31083`,
+   :cve_nist:`2025-26594`, :cve_nist:`2025-26595`, :cve_nist:`2025-26596`, :cve_nist:`2025-26597`,
+   :cve_nist:`2025-26598`, :cve_nist:`2025-26599`, :cve_nist:`2025-26600` and :cve_nist:`2025-26601`
+-  zlib: Fix :cve_nist:`2014-9485`
+
+
+
+Fixes in Yocto-4.0.26
+~~~~~~~~~~~~~~~~~~~~~
+
+-  bind: Upgrade to 9.18.33
+-  bitbake: cache: bump cache version
+-  bitbake: siggen.py: Improve taskhash reproducibility
+-  boost: fix do_fetch error
+-  build-appliance-image: Update to kirkstone head revision
+-  contributor-guide/submit-changes: add policy on AI generated code
+-  cve-update-nvd2-native: handle missing vulnStatus
+-  docs: Add favicon for the documentation html
+-  docs: Remove all mention of core-image-lsb
+-  libtasn1: upgrade to 4.20.0
+-  libxcrypt-compat: Remove libcrypt.so to fix conflict with libcrypt
+-  libxml2: fix compilation of explicit child axis in pattern
+-  linux-yocto/5.10: update to v5.10.234
+-  linux-yocto/5.15: update to v5.15.179
+-  mesa: Fix missing GLES3 headers in SDK sysroot
+-  mesa: Update :term:`SRC_URI`
+-  meta: Enable '-o pipefail' for the SDK installer
+-  migration-guides: add release notes for 4.0.25
+-  poky.conf: add ubuntu2404 to :term:`SANITY_TESTED_DISTROS`
+-  poky.conf: bump version for 4.0.26
+-  procps: replaced one use of fputs(3) with a write(2) call
+-  ref-manual: don't refer to poky-lsb
+-  scripts/install-buildtools: Update to 4.0.24
+-  scritps/runqemu: Ensure we only have two serial ports
+-  systemd: upgrade to 250.14
+-  tzcode-native: Fix compiler setting from 2023d version
+-  tzcode: Update :term:`SRC_URI`
+-  tzdata/tzcode-native: upgrade 2025a
+-  vim: Upgrade to 9.1.1198
+-  virglrenderer: fix do_fetch error
+-  vulnerabilities/classes: remove references to cve-check text format
+-  xz: Update :term:`SRC_URI`
+-  yocto-uninative: Update to 4.7 for glibc 2.41
+
+
+Known Issues in Yocto-4.0.26
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+- N/A
+
+
+Contributors to Yocto-4.0.26
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Thanks to the following people who contributed to this release:
+
+-  Aleksandar Nikolic
+-  Alessio Cascone
+-  Antonin Godard
+-  Archana Polampalli
+-  Ashish Sharma
+-  Bruce Ashfield
+-  Carlos Dominguez
+-  Deepesh Varatharajan
+-  Divya Chellam
+-  Guocai He
+-  Hitendra Prajapati
+-  Hongxu Jia
+-  Jiaying Song
+-  Johannes Kauffmann
+-  Kai Kang
+-  Lee Chee Yang
+-  Libo Chen
+-  Marta Rybczynska
+-  Michael Halstead
+-  Mingli Yu
+-  Moritz Haase
+-  Narpat Mali
+-  Paulo Neves
+-  Peter Marko
+-  Priyal Doshi
+-  Richard Purdie
+-  Robert Yang
+-  Ross Burton
+-  Sakib Sajal
+-  Steve Sakoman
+-  Vijay Anusuri
+-  Yogita Urade
+-  Zhang Peng
+
+
+Repositories / Downloads for Yocto-4.0.26
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+poky
+
+-  Repository Location: :yocto_git:`/poky`
+-  Branch: :yocto_git:`kirkstone </poky/log/?h=kirkstone>`
+-  Tag:  :yocto_git:`yocto-4.0.26 </poky/log/?h=yocto-4.0.26>`
+-  Git Revision: :yocto_git:`d70d287a77d5026b698ac237ab865b2dafd36bb8 </poky/commit/?id=d70d287a77d5026b698ac237ab865b2dafd36bb8>`
+-  Release Artefact: poky-d70d287a77d5026b698ac237ab865b2dafd36bb8
+-  sha: 3ebfadb8bff4c1ca12b3cf3e4ef6e3ac2ce52b73570266daa98436c9959249f2
+-  Download Locations:
+   https://downloads.yoctoproject.org/releases/yocto/yocto-4.0.26/poky-d70d287a77d5026b698ac237ab865b2dafd36bb8.tar.bz2
+   https://mirrors.kernel.org/yocto/yocto/yocto-4.0.26/poky-d70d287a77d5026b698ac237ab865b2dafd36bb8.tar.bz2
+
+openembedded-core
+
+-  Repository Location: :oe_git:`/openembedded-core`
+-  Branch: :oe_git:`kirkstone </openembedded-core/log/?h=kirkstone>`
+-  Tag:  :oe_git:`yocto-4.0.26 </openembedded-core/log/?h=yocto-4.0.26>`
+-  Git Revision: :oe_git:`1efbe1004bc82e7c14c1e8bd4ce644f5015c3346 </openembedded-core/commit/?id=1efbe1004bc82e7c14c1e8bd4ce644f5015c3346>`
+-  Release Artefact: oecore-1efbe1004bc82e7c14c1e8bd4ce644f5015c3346
+-  sha: d3805e034dabd0865dbf55488b2c16d4ea0351d37aa826f0054a6bfdde5a8be9
+-  Download Locations:
+   https://downloads.yoctoproject.org/releases/yocto/yocto-4.0.26/oecore-1efbe1004bc82e7c14c1e8bd4ce644f5015c3346.tar.bz2
+   https://mirrors.kernel.org/yocto/yocto/yocto-4.0.26/oecore-1efbe1004bc82e7c14c1e8bd4ce644f5015c3346.tar.bz2
+
+meta-mingw
+
+-  Repository Location: :yocto_git:`/meta-mingw`
+-  Branch: :yocto_git:`kirkstone </meta-mingw/log/?h=kirkstone>`
+-  Tag:  :yocto_git:`yocto-4.0.26 </meta-mingw/log/?h=yocto-4.0.26>`
+-  Git Revision: :yocto_git:`87c22abb1f11be430caf4372e6b833dc7d77564e </meta-mingw/commit/?id=87c22abb1f11be430caf4372e6b833dc7d77564e>`
+-  Release Artefact: meta-mingw-87c22abb1f11be430caf4372e6b833dc7d77564e
+-  sha: f0bc4873e2e0319fb9d6d6ab9b98eb3f89664d4339a167d2db6a787dd12bc1a8
+-  Download Locations:
+   https://downloads.yoctoproject.org/releases/yocto/yocto-4.0.26/meta-mingw-87c22abb1f11be430caf4372e6b833dc7d77564e.tar.bz2
+   https://mirrors.kernel.org/yocto/yocto/yocto-4.0.26/meta-mingw-87c22abb1f11be430caf4372e6b833dc7d77564e.tar.bz2
+
+meta-gplv2
+
+-  Repository Location: :yocto_git:`/meta-gplv2`
+-  Branch: :yocto_git:`kirkstone </meta-gplv2/log/?h=kirkstone>`
+-  Tag:  :yocto_git:`yocto-4.0.26 </meta-gplv2/log/?h=yocto-4.0.26>`
+-  Git Revision: :yocto_git:`d2f8b5cdb285b72a4ed93450f6703ca27aa42e8a </meta-gplv2/commit/?id=d2f8b5cdb285b72a4ed93450f6703ca27aa42e8a>`
+-  Release Artefact: meta-gplv2-d2f8b5cdb285b72a4ed93450f6703ca27aa42e8a
+-  sha: c386f59f8a672747dc3d0be1d4234b6039273d0e57933eb87caa20f56b9cca6d
+-  Download Locations:
+   https://downloads.yoctoproject.org/releases/yocto/yocto-4.0.26/meta-gplv2-d2f8b5cdb285b72a4ed93450f6703ca27aa42e8a.tar.bz2
+   https://mirrors.kernel.org/yocto/yocto/yocto-4.0.26/meta-gplv2-d2f8b5cdb285b72a4ed93450f6703ca27aa42e8a.tar.bz2
+
+bitbake
+
+-  Repository Location: :oe_git:`/bitbake`
+-  Branch: :oe_git:`2.0 </bitbake/log/?h=2.0>`
+-  Tag:  :oe_git:`yocto-4.0.26 </bitbake/log/?h=yocto-4.0.26>`
+-  Git Revision: :oe_git:`046871d9fd76efdca7b72718b328d8f545523f7e </bitbake/commit/?id=046871d9fd76efdca7b72718b328d8f545523f7e>`
+-  Release Artefact: bitbake-046871d9fd76efdca7b72718b328d8f545523f7e
+-  sha: e9df0a9f5921b583b539188d66b23f120e1751000e7822e76c3391d5c76ee21a
+-  Download Locations:
+   https://downloads.yoctoproject.org/releases/yocto/yocto-4.0.26/bitbake-046871d9fd76efdca7b72718b328d8f545523f7e.tar.bz2
+   https://mirrors.kernel.org/yocto/yocto/yocto-4.0.26/bitbake-046871d9fd76efdca7b72718b328d8f545523f7e.tar.bz2
+
+yocto-docs
+
+-  Repository Location: :yocto_git:`/yocto-docs`
+-  Branch: :yocto_git:`kirkstone </yocto-docs/log/?h=kirkstone>`
+-  Tag: :yocto_git:`yocto-4.0.26 </yocto-docs/log/?h=yocto-4.0.26>`
+-  Git Revision: :yocto_git:`9b4c36f7b02dd4bedfec90206744a1e90e37733c </yocto-docs/commit/?id=9b4c36f7b02dd4bedfec90206744a1e90e37733c>`
+

documentation/migration-guides/release-notes-4.0.27.rst

@@ -0,0 +1,153 @@
+Release notes for Yocto-4.0.27 (Kirkstone)
+------------------------------------------
+
+Security Fixes in Yocto-4.0.27
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+-  binutils: Fix :cve_nist:`2025-1178`
+-  busybox: fix :cve_nist:`2023-39810`
+-  connman :fix :cve_nist:`2025-32743`
+-  curl: Ignore :cve_nist:`2025-0725`
+-  ghostscript: Fix :cve_nist:`2025-27830`, :cve_nist:`2025-27831`, :cve_nist:`2025-27832`,
+   :cve_nist:`2025-27834`, :cve_nist:`2025-27835` and :cve_nist:`2025-27836`
+-  ghostscript: Ignore :cve_nist:`2024-29507`, :cve_nist:`2025-27833` and :cve_nist:`2025-27837`
+-  glib-2.0: Fix :cve_nist:`2025-3360`
+-  go: Fix :cve_nist:`2025-22871`
+-  libarchive: Ignore :cve_nist:`2024-48615`
+-  libpam: Fix :cve_nist:`2024-10041`
+-  libsoup-2.4: Fix :cve_nist:`2024-52532`, :cve_nist:`2025-32906` and :cve_nist:`2025-32909`
+-  libsoup: Fix :cve_nist:`2024-52532`, :cve_nist:`2025-32906`, :cve_nist:`2025-32909`,
+   :cve_nist:`2025-32910`, :cve_nist:`2025-32911`, :cve_nist:`2025-32912`, :cve_nist:`2025-32913`
+   and :cve_nist:`2025-32914`
+-  libxml2: Fix :cve_nist:`2025-32414` and :cve_nist:`2025-32415`
+-  ofono: Fix :cve_nist:`2024-7537`
+-  perl: Fix :cve_nist:`2024-56406`
+-  ppp: Fix :cve_nist:`2024-58250`
+-  python3-setuptools: Fix :cve_nist:`2024-6345`
+-  qemu: Ignore :cve_nist:`2023-1386`
+-  ruby: Fix :cve_nist:`2024-43398`
+-  sqlite3: Fix :cve_nist:`2025-29088`
+-  systemd: Ignore :cve_nist:`2022-3821`, :cve_nist:`2022-4415` and :cve_nist:`2022-45873`
+
+
+Fixes in Yocto-4.0.27
+~~~~~~~~~~~~~~~~~~~~~
+
+-  Revert "cve-update-nvd2-native: Tweak to work better with NFS DL_DIR"
+-  build-appliance-image: Update to kirkstone head revision
+-  cve-update-nvd2-native: add workaround for json5 style list
+-  docs: Fix dead links that use the :term:`DISTRO` macro
+-  docs: manuals: remove repeated word
+-  docs: poky.yaml: introduce DISTRO_LATEST_TAG
+-  glibc: Add single-threaded fast path to rand()
+-  glibc: stable 2.35 branch updates
+-  module.bbclass: add KBUILD_EXTRA_SYMBOLS to install
+-  perl: enable _GNU_SOURCE define via d_gnulibc
+-  poky.conf: bump version for 4.0.27
+-  ref-manual/variables.rst: document autotools class related variables
+-  scripts/install-buildtools: Update to 4.0.26
+-  systemd: backport patch to fix journal issue
+-  systemd: systemd-journald fails to setup LogNamespace
+-  tzdata/tzcode-native: upgrade to 2025b
+
+
+Known Issues in Yocto-4.0.27
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+- N/A
+
+
+Contributors to Yocto-4.0.27
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+-  Aleksandar Nikolic
+-  Alexander Kanavin
+-  Alon Bar-Lev
+-  Andrew Kreimer
+-  Antonin Godard
+-  Chen Qi
+-  Deepesh Varatharajan
+-  Divya Chellam
+-  Haitao Liu
+-  Haixiao Yan
+-  Hitendra Prajapati
+-  Peter Marko
+-  Praveen Kumar
+-  Priyal Doshi
+-  Shubham Kulkarni
+-  Soumya Sambu
+-  Steve Sakoman
+-  Vijay Anusuri
+-  Yogita Urade
+
+
+Repositories / Downloads for Yocto-4.0.27
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+poky
+
+-  Repository Location: :yocto_git:`/poky`
+-  Branch: :yocto_git:`kirkstone </poky/log/?h=kirkstone>`
+-  Tag:  :yocto_git:`yocto-4.0.27 </poky/log/?h=yocto-4.0.27>`
+-  Git Revision: :yocto_git:`ab9a994a8cd8e06b519a693db444030999d273b7 </poky/commit/?id=ab9a994a8cd8e06b519a693db444030999d273b7>`
+-  Release Artefact: poky-ab9a994a8cd8e06b519a693db444030999d273b7
+-  sha: 77a366c17cf29eef15c6ff3f44e73f81c07288c723fd4a6dbd8c7ee9b79933f3
+-  Download Locations:
+   https://downloads.yoctoproject.org/releases/yocto/yocto-4.0.27/poky-ab9a994a8cd8e06b519a693db444030999d273b7.tar.bz2
+   https://mirrors.kernel.org/yocto/yocto/yocto-4.0.27/poky-ab9a994a8cd8e06b519a693db444030999d273b7.tar.bz2
+
+openembedded-core
+
+-  Repository Location: :oe_git:`/openembedded-core`
+-  Branch: :oe_git:`kirkstone </openembedded-core/log/?h=kirkstone>`
+-  Tag:  :oe_git:`yocto-4.0.27 </openembedded-core/log/?h=yocto-4.0.27>`
+-  Git Revision: :oe_git:`e8be08a624b2d024715a5c8b0c37f2345a02336b </openembedded-core/commit/?id=e8be08a624b2d024715a5c8b0c37f2345a02336b>`
+-  Release Artefact: oecore-e8be08a624b2d024715a5c8b0c37f2345a02336b
+-  sha: cc5b0fadab021c6dc61f37fc4ff01a1cf657e7c219488ce264bede42f7f6212f
+-  Download Locations:
+   https://downloads.yoctoproject.org/releases/yocto/yocto-4.0.27/oecore-e8be08a624b2d024715a5c8b0c37f2345a02336b.tar.bz2
+   https://mirrors.kernel.org/yocto/yocto/yocto-4.0.27/oecore-e8be08a624b2d024715a5c8b0c37f2345a02336b.tar.bz2
+
+meta-mingw
+
+-  Repository Location: :yocto_git:`/meta-mingw`
+-  Branch: :yocto_git:`kirkstone </meta-mingw/log/?h=kirkstone>`
+-  Tag:  :yocto_git:`yocto-4.0.27 </meta-mingw/log/?h=yocto-4.0.27>`
+-  Git Revision: :yocto_git:`87c22abb1f11be430caf4372e6b833dc7d77564e </meta-mingw/commit/?id=87c22abb1f11be430caf4372e6b833dc7d77564e>`
+-  Release Artefact: meta-mingw-87c22abb1f11be430caf4372e6b833dc7d77564e
+-  sha: f0bc4873e2e0319fb9d6d6ab9b98eb3f89664d4339a167d2db6a787dd12bc1a8
+-  Download Locations:
+   https://downloads.yoctoproject.org/releases/yocto/yocto-4.0.27/meta-mingw-87c22abb1f11be430caf4372e6b833dc7d77564e.tar.bz2
+   https://mirrors.kernel.org/yocto/yocto/yocto-4.0.27/meta-mingw-87c22abb1f11be430caf4372e6b833dc7d77564e.tar.bz2
+
+meta-gplv2
+
+-  Repository Location: :yocto_git:`/meta-gplv2`
+-  Branch: :yocto_git:`kirkstone </meta-gplv2/log/?h=kirkstone>`
+-  Tag:  :yocto_git:`yocto-4.0.27 </meta-gplv2/log/?h=yocto-4.0.27>`
+-  Git Revision: :yocto_git:`d2f8b5cdb285b72a4ed93450f6703ca27aa42e8a </meta-gplv2/commit/?id=d2f8b5cdb285b72a4ed93450f6703ca27aa42e8a>`
+-  Release Artefact: meta-gplv2-d2f8b5cdb285b72a4ed93450f6703ca27aa42e8a
+-  sha: c386f59f8a672747dc3d0be1d4234b6039273d0e57933eb87caa20f56b9cca6d
+-  Download Locations:
+   https://downloads.yoctoproject.org/releases/yocto/yocto-4.0.27/meta-gplv2-d2f8b5cdb285b72a4ed93450f6703ca27aa42e8a.tar.bz2
+   https://mirrors.kernel.org/yocto/yocto/yocto-4.0.27/meta-gplv2-d2f8b5cdb285b72a4ed93450f6703ca27aa42e8a.tar.bz2
+
+bitbake
+
+-  Repository Location: :oe_git:`/bitbake`
+-  Branch: :oe_git:`2.0 </bitbake/log/?h=2.0>`
+-  Tag:  :oe_git:`yocto-4.0.27 </bitbake/log/?h=yocto-4.0.27>`
+-  Git Revision: :oe_git:`046871d9fd76efdca7b72718b328d8f545523f7e </bitbake/commit/?id=046871d9fd76efdca7b72718b328d8f545523f7e>`
+-  Release Artefact: bitbake-046871d9fd76efdca7b72718b328d8f545523f7e
+-  sha: e9df0a9f5921b583b539188d66b23f120e1751000e7822e76c3391d5c76ee21a
+-  Download Locations:
+   https://downloads.yoctoproject.org/releases/yocto/yocto-4.0.27/bitbake-046871d9fd76efdca7b72718b328d8f545523f7e.tar.bz2
+   https://mirrors.kernel.org/yocto/yocto/yocto-4.0.27/bitbake-046871d9fd76efdca7b72718b328d8f545523f7e.tar.bz2
+
+yocto-docs
+
+-  Repository Location: :yocto_git:`/yocto-docs`
+-  Branch: :yocto_git:`kirkstone </yocto-docs/log/?h=kirkstone>`
+-  Tag: :yocto_git:`yocto-4.0.27 </yocto-docs/log/?h=yocto-4.0.27>`
+-  Git Revision: :yocto_git:`0d51e553d5f83eea6634e03ddc9c7740bf72fcea </yocto-docs/commit/?id=0d51e553d5f83eea6634e03ddc9c7740bf72fcea>`
+

documentation/migration-guides/release-notes-4.0.28.rst

@@ -0,0 +1,224 @@
+Release notes for Yocto-4.0.28 (Kirkstone)
+------------------------------------------
+
+Security Fixes in Yocto-4.0.28
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+-  binutils: Fix :cve_nist:`2025-1180`, :cve_nist:`2025-1182`, :cve_nist:`2025-5244` and
+   :cve_nist:`2025-5245`
+-  connman: Fix :cve_nist:`2025-32366`
+-  ffmpeg: Fix :cve_nist:`2025-1373`, :cve_nist:`2025-22919` and :cve_nist:`2025-22921`
+-  ffmpeg: Ignore :cve_nist:`2022-48434`
+-  ghostscript: Fix :cve_nist:`2025-48708`
+-  git: Fix :cve_nist:`2024-50349` and :cve_nist:`2024-52006`
+-  glib-2.0: Fix :cve_nist:`2025-4373`
+-  glibc: Fix for :cve_nist:`2025-4802`
+-  go: Fix :cve_nist:`2025-4673`
+-  go: ignore :cve_nist:`2024-3566`
+-  icu: Fix :cve_nist:`2025-5222`
+-  iputils: Fix :cve_nist:`2025-47268`
+-  libsoup-2.4: Fix :cve_nist:`2025-2784`, :cve_nist:`2025-4476`, :cve_nist:`2025-4948`,
+   :cve_nist:`2025-4969`, :cve_nist:`2025-32050`, :cve_nist:`2025-32052`, :cve_nist:`2025-32053`,
+   :cve_nist:`2025-32907`, :cve_nist:`2025-32910`, :cve_nist:`2025-32911`, :cve_nist:`2025-32912`,
+   :cve_nist:`2025-32913`, :cve_nist:`2025-32914`, :cve_nist:`2025-46420` and :cve_nist:`2025-46421`
+-  libsoup: Fix :cve_nist:`2025-2784`, :cve_nist:`2025-4476`, :cve_nist:`2025-4948`,
+   :cve_nist:`2025-4969`, :cve_nist:`2025-32050`, :cve_nist:`2025-32051`, :cve_nist:`2025-32052`,
+   :cve_nist:`2025-32053`, :cve_nist:`2025-32907`, :cve_nist:`2025-46420` and :cve_nist:`2025-46421`
+-  linux-yocto/5.15: Fix :cve_nist:`2024-26952`, :cve_nist:`2025-21941`, :cve_nist:`2025-21957`,
+   :cve_nist:`2025-21959`, :cve_nist:`2025-21962`, :cve_nist:`2025-21963`, :cve_nist:`2025-21964`,
+   :cve_nist:`2025-21968`, :cve_nist:`2025-21996`, :cve_nist:`2025-22018`, :cve_nist:`2025-22020`,
+   :cve_nist:`2025-22035`, :cve_nist:`2025-22054`, :cve_nist:`2025-22056`, :cve_nist:`2025-22063`,
+   :cve_nist:`2025-22066`, :cve_nist:`2025-22081`, :cve_nist:`2025-22097`, :cve_nist:`2025-23136`,
+   :cve_nist:`2025-37785`, :cve_nist:`2025-37803`, :cve_nist:`2025-37805`, :cve_nist:`2025-38152`,
+   :cve_nist:`2025-39728` and :cve_nist:`2025-39735`
+-  net-tools: Fix :cve_nist:`2025-46836`
+-  openssh: Fix :cve_nist:`2025-32728`
+-  python3: Fix :cve_nist:`2024-12718`, :cve_nist:`2025-0938`, :cve_nist:`2025-4138`,
+   :cve_nist:`2025-4330`, :cve_nist:`2025-4435`, :cve_nist:`2025-4516` and :cve_nist:`2025-4517`
+-  python3-requests: Fix :cve_nist:`2024-47081`
+-  python3-setuptools: Fix :cve_nist:`2025-47273`
+-  ruby: Fix :cve_nist:`2025-27221`
+-  screen: Fix :cve_nist:`2025-46802`, :cve_nist:`2025-46804` and :cve_nist:`2025-46805`
+-  taglib: Fix :cve_nist:`2023-47466`
+
+
+Fixes in Yocto-4.0.28
+~~~~~~~~~~~~~~~~~~~~~
+
+-  babeltrace/libatomic-ops: correct the :term:`SRC_URI`
+-  brief-yoctoprojectqs/ref-manual: Switch to new CDN
+-  bsp guide: update kernel version example to 6.12
+-  bsp-guide: update lonely "4.12" kernel reference to "6.12"
+-  build-appliance-image: Update to kirkstone head revision
+-  cmake: Correctly handle cost data of tests with arbitrary chars in name
+-  conf.py: tweak SearchEnglish to be hyphen-friendly
+-  contributor-guide/submit-changes: encourage patch version changelogs
+-  dev-manual/sbom.rst: fix wrong build outputs
+-  docs: Clean up explanation of minimum required version numbers
+-  docs: README: specify how to contribute instead of pointing at another file
+-  docs: conf.py: silence SyntaxWarning on js_splitter_code
+-  e2fsprogs: removed 'sed -u' option
+-  ffmpeg: Add "libswresample libavcodec" to :term:`CVE_PRODUCT`
+-  ffmpeg: upgrade to 5.0.3
+-  gcc: AArch64 - Fix strict-align cpymem/setmem
+-  glibc: nptl Fix indentation
+-  glibc: nptl Remove unnecessary catch-all-wake in condvar group switch
+-  glibc: nptl Remove unnecessary quadruple check in pthread_cond_wait
+-  glibc: nptl Update comments and indentation for new condvar implementation
+-  glibc: nptl Use a single loop in pthread_cond_wait instaed of a nested loop
+-  glibc: nptl Use all of g1_start and g_signals
+-  glibc: nptl rename __condvar_quiesce_and_switch_g1
+-  glibc: pthreads NPTL lost wakeup fix 2
+-  kernel.bbclass: add original package name to :term:`RPROVIDES` for -image and -base
+-  libpng: Improve ptest
+-  linux-yocto/5.15: update to v5.15.184
+-  migration-guides: add release notes for 4.0.26 and 4.0.27
+-  nfs-utils: don't use signals to shut down nfs server.
+-  poky.conf: bump version for 4.0.28
+-  python3: upgrade to 3.10.18
+-  ref-manual/release-process: update releases.svg
+-  ref-manual/variables.rst: document :term:`INHIBIT_DEFAULT_RUST_DEPS`
+   :term:`INHIBIT_UPDATERCD_BBCLASS` :term:`SSTATE_SKIP_CREATION` :term:`WIC_CREATE_EXTRA_ARGS`
+   :term:`IMAGE_ROOTFS_MAXSIZE` :term:`INITRAMFS_MAXSIZE`
+-  ref-manual: clarify :term:`KCONFIG_MODE` default behaviour
+-  ref-manual: classes: nativesdk: move note to appropriate section
+-  ref-manual: classes: reword to clarify that native/nativesdk options are exclusive
+-  ref-manual: kernel-fitimage.bbclass does not use :term:`SPL_SIGN_KEYNAME`
+-  scripts/install-buildtools: Update to 4.0.27
+-  sphinx-lint: role missing opening tag colon
+-  sphinx-lint: trailing whitespace
+-  sphinx-lint: unbalanced inline literal markup
+-  sysstat: correct the :term:`SRC_URI`
+-  systemtap: add sysroot Python paths to configure flags
+-  test-manual/intro: remove Buildbot version used
+-  util-linux: Add fix to isolate test fstab entries using CUSTOM_FSTAB
+-  xz: Update :term:`LICENSE` variable for xz packages
+
+
+Known Issues in Yocto-4.0.28
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+- N/A
+
+
+Contributors to Yocto-4.0.28
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+-  Aditya Tayade
+-  Adrian Freihofer
+-  Aleksandar Nikolic
+-  Alper Ak
+-  Antonin Godard
+-  Archana Polampalli
+-  Ashish Sharma
+-  Bruce Ashfield
+-  Carlos Sánchez de La Lama
+-  Changqing Li
+-  Christos Gavros
+-  Colin Pinnell McAllister
+-  Deepesh Varatharajan
+-  Divya Chellam
+-  Enrico Jörns
+-  Etienne Cordonnier
+-  Guocai He
+-  Harish Sadineni
+-  Hitendra Prajapati
+-  Jiaying Song
+-  Lee Chee Yang
+-  Martin Jansa
+-  Moritz Haase
+-  NeilBrown
+-  Peter Marko
+-  Poonam Jadhav
+-  Praveen Kumar
+-  Quentin Schulz
+-  Richard Purdie
+-  Robert P. J. Day
+-  Soumya Sambu
+-  Steve Sakoman
+-  Sundeep KOKKONDA
+-  Sunil Dora
+-  Trevor Woerner
+-  Vijay Anusuri
+-  Virendra Thakur
+-  Yi Zhao
+-  aszh07
+
+
+Repositories / Downloads for Yocto-4.0.28
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+poky
+
+-  Repository Location: :yocto_git:`/poky`
+-  Branch: :yocto_git:`kirkstone </poky/log/?h=kirkstone>`
+-  Tag:  :yocto_git:`yocto-4.0.28 </poky/log/?h=yocto-4.0.28>`
+-  Git Revision: :yocto_git:`78c9cb3eaf071932567835742608404d5ce23cc4 </poky/commit/?id=78c9cb3eaf071932567835742608404d5ce23cc4>`
+-  Release Artefact: poky-78c9cb3eaf071932567835742608404d5ce23cc4
+-  sha: 9c73c6f89e70c2041a52851e5cc582e5a2f05ad2fdc110d2c518f2c4994e8de3
+-  Download Locations:
+   https://downloads.yoctoproject.org/releases/yocto/yocto-4.0.28/poky-78c9cb3eaf071932567835742608404d5ce23cc4.tar.bz2
+   https://mirrors.kernel.org/yocto/yocto/yocto-4.0.28/poky-78c9cb3eaf071932567835742608404d5ce23cc4.tar.bz2
+
+openembedded-core
+
+-  Repository Location: :oe_git:`/openembedded-core`
+-  Branch: :oe_git:`kirkstone </openembedded-core/log/?h=kirkstone>`
+-  Tag:  :oe_git:`yocto-4.0.28 </openembedded-core/log/?h=yocto-4.0.28>`
+-  Git Revision: :oe_git:`75e54301c5076eb0454aee33c870adf078f563fd </openembedded-core/commit/?id=75e54301c5076eb0454aee33c870adf078f563fd>`
+-  Release Artefact: oecore-75e54301c5076eb0454aee33c870adf078f563fd
+-  sha: c5ffceab90881c4041ec4304da8b7b32d9c1f89a4c63ee7b8cbd53c796b0187b
+-  Download Locations:
+   https://downloads.yoctoproject.org/releases/yocto/yocto-4.0.28/oecore-75e54301c5076eb0454aee33c870adf078f563fd.tar.bz2
+   https://mirrors.kernel.org/yocto/yocto/yocto-4.0.28/oecore-75e54301c5076eb0454aee33c870adf078f563fd.tar.bz2
+
+meta-mingw
+
+-  Repository Location: :yocto_git:`/meta-mingw`
+-  Branch: :yocto_git:`kirkstone </meta-mingw/log/?h=kirkstone>`
+-  Tag:  :yocto_git:`yocto-4.0.28 </meta-mingw/log/?h=yocto-4.0.28>`
+-  Git Revision: :yocto_git:`87c22abb1f11be430caf4372e6b833dc7d77564e </meta-mingw/commit/?id=87c22abb1f11be430caf4372e6b833dc7d77564e>`
+-  Release Artefact: meta-mingw-87c22abb1f11be430caf4372e6b833dc7d77564e
+-  sha: f0bc4873e2e0319fb9d6d6ab9b98eb3f89664d4339a167d2db6a787dd12bc1a8
+-  Download Locations:
+   https://downloads.yoctoproject.org/releases/yocto/yocto-4.0.28/meta-mingw-87c22abb1f11be430caf4372e6b833dc7d77564e.tar.bz2
+   https://mirrors.kernel.org/yocto/yocto/yocto-4.0.28/meta-mingw-87c22abb1f11be430caf4372e6b833dc7d77564e.tar.bz2
+
+meta-gplv2
+
+-  Repository Location: :yocto_git:`/meta-gplv2`
+-  Branch: :yocto_git:`kirkstone </meta-gplv2/log/?h=kirkstone>`
+-  Tag:  :yocto_git:`yocto-4.0.28 </meta-gplv2/log/?h=yocto-4.0.28>`
+-  Git Revision: :yocto_git:`d2f8b5cdb285b72a4ed93450f6703ca27aa42e8a </meta-gplv2/commit/?id=d2f8b5cdb285b72a4ed93450f6703ca27aa42e8a>`
+-  Release Artefact: meta-gplv2-d2f8b5cdb285b72a4ed93450f6703ca27aa42e8a
+-  sha: c386f59f8a672747dc3d0be1d4234b6039273d0e57933eb87caa20f56b9cca6d
+-  Download Locations:
+   https://downloads.yoctoproject.org/releases/yocto/yocto-4.0.28/meta-gplv2-d2f8b5cdb285b72a4ed93450f6703ca27aa42e8a.tar.bz2
+   https://mirrors.kernel.org/yocto/yocto/yocto-4.0.28/meta-gplv2-d2f8b5cdb285b72a4ed93450f6703ca27aa42e8a.tar.bz2
+
+bitbake
+
+-  Repository Location: :oe_git:`/bitbake`
+-  Branch: :oe_git:`2.0 </bitbake/log/?h=2.0>`
+-  Tag:  :oe_git:`yocto-4.0.28 </bitbake/log/?h=yocto-4.0.28>`
+-  Git Revision: :oe_git:`046871d9fd76efdca7b72718b328d8f545523f7e </bitbake/commit/?id=046871d9fd76efdca7b72718b328d8f545523f7e>`
+-  Release Artefact: bitbake-046871d9fd76efdca7b72718b328d8f545523f7e
+-  sha: e9df0a9f5921b583b539188d66b23f120e1751000e7822e76c3391d5c76ee21a
+-  Download Locations:
+   https://downloads.yoctoproject.org/releases/yocto/yocto-4.0.28/bitbake-046871d9fd76efdca7b72718b328d8f545523f7e.tar.bz2
+   https://mirrors.kernel.org/yocto/yocto/yocto-4.0.28/bitbake-046871d9fd76efdca7b72718b328d8f545523f7e.tar.bz2
+
+meta-yocto
+
+-  Repository Location: :yocto_git:`/meta-yocto`
+-  Branch: :yocto_git:`kirkstone </meta-yocto/log/?h=kirkstone>`
+-  Tag: :yocto_git:`yocto-4.0.28 </meta-yocto/log/?h=yocto-4.0.28>`
+-  Git Revision: :yocto_git:`0bf3dcef1caa80fb047bf9c3514314ab658e30ea </meta-yocto/commit/?id=0bf3dcef1caa80fb047bf9c3514314ab658e30ea>`
+
+yocto-docs
+
+-  Repository Location: :yocto_git:`/yocto-docs`
+-  Branch: :yocto_git:`kirkstone </yocto-docs/log/?h=kirkstone>`
+-  Tag: :yocto_git:`yocto-4.0.28 </yocto-docs/log/?h=yocto-4.0.28>`
+-  Git Revision: :yocto_git:`97cd3ee7f3bf1de8454708d1852ea9cdbd45c39b </yocto-docs/commit/?id=97cd3ee7f3bf1de8454708d1852ea9cdbd45c39b>`
+

documentation/migration-guides/release-notes-4.0.29.rst

@@ -0,0 +1,178 @@
+Release notes for Yocto-4.0.29 (Kirkstone)
+------------------------------------------
+
+Security Fixes in Yocto-4.0.29
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+-  avahi: Fix :cve_nist:`2024-52615`
+-  binutils: Fix :cve_nist:`2025-7545` and :cve_nist:`2025-7546`
+-  coreutils: Fix :cve_nist:`2025-5278`
+-  curl: Fix :cve_nist:`2024-11053` and :cve_nist:`2025-0167`
+-  dropbear: Fix :cve_nist:`2025-47203`
+-  ffmpeg: Ignore :cve_nist:`2022-3109` and :cve_nist:`2022-3341`
+-  gdk-pixbuf: Fix :cve_nist:`2025-7345`
+-  ghostscript: Ignore :cve_nist:`2025-46646`
+-  gnupg: Fix :cve_nist:`2025-30258`
+-  gnutls: Fix :cve_nist:`2025-6395`, :cve_nist:`2025-32988`, :cve_nist:`2025-32989` and
+   :cve_nist:`2025-32990`
+-  iputils: Fix :cve_nist:`2025-48964`
+-  libarchive: Fix :cve_nist:`2025-5914`, :cve_nist:`2025-5915`, :cve_nist:`2025-5916` and
+   :cve_nist:`2025-5917`
+-  libpam: Fix :cve_nist:`2025-6020`
+-  libsoup-2.4: Fix :cve_nist:`2025-4945`
+-  libsoup-2.4: Fix :cve_nist:`2025-4969` (update patch)
+-  libsoup: Fix :cve_nist:`2025-4945`, :cve_nist:`2025-6021`, :cve_nist:`2025-6170`,
+   :cve_nist:`2025-49794` and :cve_nist:`2025-49796`
+-  ncurses: Fix :cve_nist:`2025-6141`
+-  ofono: Fix :cve_nist:`2023-4232` and :cve_nist:`2023-4235`
+-  openssl: Fix :cve_nist:`2024-41996`
+-  python3-urllib3: Fix :cve_nist:`2025-50181`
+-  ruby: Fix :cve_nist:`2024-43398` (update patches)
+-  sqlite3: Fix :cve_nist:`2025-6965` and :cve_nist:`2025-7458`
+-  sqlite3: Ignore :cve_nist:`2025-3277`
+-  systemd: Fix :cve_nist:`2025-4598`
+-  xwayland: Fix :cve_nist:`2025-49175`, :cve_nist:`2025-49176`, :cve_nist:`2025-49177`,
+   :cve_nist:`2025-49178`, :cve_nist:`2025-49179` and :cve_nist:`2025-49180`
+
+
+Fixes in Yocto-4.0.29
+~~~~~~~~~~~~~~~~~~~~~
+
+-  bintuils: stable 2.38 branch update
+-  bitbake: test/fetch: Switch u-boot based test to use our own mirror
+-  build-appliance-image: Update to kirkstone head revision
+-  conf.py: improve SearchEnglish to handle terms with dots
+-  db: ignore implicit-int and implicit-function-declaration issues fatal with gcc-14
+-  dev-manual/start.rst: added missing command in Optimize your VHDX file using DiskPart
+-  glibc: stable 2.35 branch updates
+-  gnutls: patch read buffer overrun in the "pre_shared_key" extension
+-  gnutls: patch reject zero-length version in certificate request
+-  linux-yocto/5.15: update to v5.15.186
+-  migration-guides: add release notes for 4.0.28
+-  oeqa/core/decorator: add decorators to skip based on :term:`HOST_ARCH`
+-  openssl: upgrade to 3.0.17
+-  orc: set :term:`CVE_PRODUCT`
+-  overview-manual/concepts.rst: fix sayhello hardcoded bindir
+-  poky.conf: bump version for 4.0.29
+-  python3: update CVE product
+-  ref-manual: document :term:`KERNEL_SPLIT_MODULES` variable
+-  scripts/install-buildtools: Update to 4.0.28
+-  sudo: upgrade to 1.9.17p1
+-  tcf-agent: correct the :term:`SRC_URI`
+
+
+Known Issues in Yocto-4.0.29
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+- N/A 
+
+
+Contributors to Yocto-4.0.29
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+-  Aleksandar Nikolic
+-  Antonin Godard
+-  Archana Polampalli
+-  Bruce Ashfield
+-  Changqing Li
+-  Chen Qi
+-  Colin Pinnell McAllister
+-  Daniel Díaz
+-  Deepesh Varatharajan
+-  Divya Chellam
+-  Dixit Parmar
+-  Enrico Jörns
+-  Guocai He
+-  Hitendra Prajapati
+-  Lee Chee Yang
+-  Marco Cavallini
+-  Martin Jansa
+-  Peter Marko
+-  Praveen Kumar
+-  Richard Purdie
+-  Rob Woolley
+-  Ross Burton
+-  Steve Sakoman
+-  Vijay Anusuri
+-  Yash Shinde
+-  Yogita Urade
+-  Zhang Peng
+
+
+Repositories / Downloads for Yocto-4.0.29
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+poky
+
+-  Repository Location: :yocto_git:`/poky`
+-  Branch: :yocto_git:`kirkstone </poky/log/?h=kirkstone>`
+-  Tag:  :yocto_git:`yocto-4.0.29 </poky/log/?h=yocto-4.0.29>`
+-  Git Revision: :yocto_git:`81ab000fa437ca04f584a3327b076f7a512dc6d0 </poky/commit/?id=81ab000fa437ca04f584a3327b076f7a512dc6d0>`
+-  Release Artefact: poky-81ab000fa437ca04f584a3327b076f7a512dc6d0
+-  sha: 2fecf3cac5c2361c201b5ae826960af92289862ec9be13837a8431138e534fd2
+-  Download Locations:
+   https://downloads.yoctoproject.org/releases/yocto/yocto-4.0.29/poky-81ab000fa437ca04f584a3327b076f7a512dc6d0.tar.bz2
+   https://mirrors.kernel.org/yocto/yocto/yocto-4.0.29/poky-81ab000fa437ca04f584a3327b076f7a512dc6d0.tar.bz2
+
+openembedded-core
+
+-  Repository Location: :oe_git:`/openembedded-core`
+-  Branch: :oe_git:`kirkstone </openembedded-core/log/?h=kirkstone>`
+-  Tag:  :oe_git:`yocto-4.0.29 </openembedded-core/log/?h=yocto-4.0.29>`
+-  Git Revision: :oe_git:`bd620eb14660075fd0f7476bbbb65d5da6293874 </openembedded-core/commit/?id=bd620eb14660075fd0f7476bbbb65d5da6293874>`
+-  Release Artefact: oecore-bd620eb14660075fd0f7476bbbb65d5da6293874
+-  sha: f32ab195c7090268e6e87ccf8db2813cf705c517030654326d14b25d926de88e
+-  Download Locations:
+   https://downloads.yoctoproject.org/releases/yocto/yocto-4.0.29/oecore-bd620eb14660075fd0f7476bbbb65d5da6293874.tar.bz2
+   https://mirrors.kernel.org/yocto/yocto/yocto-4.0.29/oecore-bd620eb14660075fd0f7476bbbb65d5da6293874.tar.bz2
+
+meta-mingw
+
+-  Repository Location: :yocto_git:`/meta-mingw`
+-  Branch: :yocto_git:`kirkstone </meta-mingw/log/?h=kirkstone>`
+-  Tag:  :yocto_git:`yocto-4.0.29 </meta-mingw/log/?h=yocto-4.0.29>`
+-  Git Revision: :yocto_git:`87c22abb1f11be430caf4372e6b833dc7d77564e </meta-mingw/commit/?id=87c22abb1f11be430caf4372e6b833dc7d77564e>`
+-  Release Artefact: meta-mingw-87c22abb1f11be430caf4372e6b833dc7d77564e
+-  sha: f0bc4873e2e0319fb9d6d6ab9b98eb3f89664d4339a167d2db6a787dd12bc1a8
+-  Download Locations:
+   https://downloads.yoctoproject.org/releases/yocto/yocto-4.0.29/meta-mingw-87c22abb1f11be430caf4372e6b833dc7d77564e.tar.bz2
+   https://mirrors.kernel.org/yocto/yocto/yocto-4.0.29/meta-mingw-87c22abb1f11be430caf4372e6b833dc7d77564e.tar.bz2
+
+meta-gplv2
+
+-  Repository Location: :yocto_git:`/meta-gplv2`
+-  Branch: :yocto_git:`kirkstone </meta-gplv2/log/?h=kirkstone>`
+-  Tag:  :yocto_git:`yocto-4.0.29 </meta-gplv2/log/?h=yocto-4.0.29>`
+-  Git Revision: :yocto_git:`d2f8b5cdb285b72a4ed93450f6703ca27aa42e8a </meta-gplv2/commit/?id=d2f8b5cdb285b72a4ed93450f6703ca27aa42e8a>`
+-  Release Artefact: meta-gplv2-d2f8b5cdb285b72a4ed93450f6703ca27aa42e8a
+-  sha: c386f59f8a672747dc3d0be1d4234b6039273d0e57933eb87caa20f56b9cca6d
+-  Download Locations:
+   https://downloads.yoctoproject.org/releases/yocto/yocto-4.0.29/meta-gplv2-d2f8b5cdb285b72a4ed93450f6703ca27aa42e8a.tar.bz2
+   https://mirrors.kernel.org/yocto/yocto/yocto-4.0.29/meta-gplv2-d2f8b5cdb285b72a4ed93450f6703ca27aa42e8a.tar.bz2
+
+bitbake
+
+-  Repository Location: :oe_git:`/bitbake`
+-  Branch: :oe_git:`2.0 </bitbake/log/?h=2.0>`
+-  Tag:  :oe_git:`yocto-4.0.29 </bitbake/log/?h=yocto-4.0.29>`
+-  Git Revision: :oe_git:`8e2d1f8de055549b2101614d85454fcd1d0f94b2 </bitbake/commit/?id=8e2d1f8de055549b2101614d85454fcd1d0f94b2>`
+-  Release Artefact: bitbake-8e2d1f8de055549b2101614d85454fcd1d0f94b2
+-  sha: fad4e7699bae62082118e89785324b031b0af0743064caee87c91ba28549afb0
+-  Download Locations:
+   https://downloads.yoctoproject.org/releases/yocto/yocto-4.0.29/bitbake-8e2d1f8de055549b2101614d85454fcd1d0f94b2.tar.bz2
+   https://mirrors.kernel.org/yocto/yocto/yocto-4.0.29/bitbake-8e2d1f8de055549b2101614d85454fcd1d0f94b2.tar.bz2
+
+meta-yocto
+
+-  Repository Location: :yocto_git:`/meta-yocto`
+-  Branch: :yocto_git:`kirkstone </meta-yocto/log/?h=kirkstone>`
+-  Tag: :yocto_git:`yocto-4.0.29 </meta-yocto/log/?h=yocto-4.0.29>`
+-  Git Revision: :yocto_git:`e916d3bad58f955b73e2c67aba975e63cd191394 </meta-yocto/commit/?id=e916d3bad58f955b73e2c67aba975e63cd191394>`
+
+yocto-docs
+
+-  Repository Location: :yocto_git:`/yocto-docs`
+-  Branch: :yocto_git:`kirkstone </yocto-docs/log/?h=kirkstone>`
+-  Tag: :yocto_git:`yocto-4.0.29 </yocto-docs/log/?h=yocto-4.0.29>`
+-  Git Revision: :yocto_git:`bf855ecaf4bec4cef9bbfea2e50caa65a8339828 </yocto-docs/commit/?id=bf855ecaf4bec4cef9bbfea2e50caa65a8339828>`
+

documentation/migration-guides/release-notes-4.0.30.rst

@@ -0,0 +1,170 @@
+Release notes for Yocto-4.0.30 (Kirkstone)
+------------------------------------------
+
+Security Fixes in Yocto-4.0.30
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+-  cups: Fix :cve_nist:`2025-58060` and :cve_nist:`2025-58364`
+-  dpkg: Fix :cve_nist:`2025-6297`
+-  ffmpeg: Fix :cve_nist:`2023-6602`, :cve_nist:`2023-6604`, :cve_nist:`2023-6605`,
+   :cve_nist:`2025-1594` and CVE-2025-7700
+-  git: Fix :cve_nist:`2025-27613`, :cve_nist:`2025-27614`, :cve_nist:`2025-46334`,
+   :cve_nist:`2025-46835` and :cve_nist:`2025-48384`
+-  glib-2.0: Fix :cve_nist:`2025-7039`
+-  glib-2.0: Ignore :cve_nist:`2025-4056`
+-  go: Ignore :cve_nist:`2024-24790` and :cve_nist:`2025-0913`
+-  gstreamer1.0-plugins-base: Fix :cve_nist:`2025-47806`, :cve_nist:`2025-47807` and
+   :cve_nist:`2025-47808`
+-  gstreamer1.0-plugins-good: Fix :cve_nist:`2025-47183` and :cve_nist:`2025-47219`
+-  libarchive: Fix :cve_nist:`2025-5918`
+-  libxslt: Fix :cve_nist:`2023-40403`
+-  openssl: Fix :cve_nist:`2023-50781`
+-  python3: Fix :cve_nist:`2025-8194`
+-  qemu: Ignore :cve_nist:`2024-7730`
+-  sqlite3: Revert "sqlite3: patch CVE-2025-7458"
+-  tiff: Fix :cve_nist:`2024-13978`, :cve_nist:`2025-8176`, :cve_nist:`2025-8177`,
+   :cve_nist:`2025-8534` and :cve_nist:`2025-8851`
+-  vim: Fix :cve_nist:`2025-53905` and :cve_nist:`2025-53906`
+-  wpa-supplicant: Fix :cve_nist:`2022-37660`
+-  xserver-xorg: Fix :cve_nist:`2025-49175`, :cve_nist:`2025-49176`, :cve_nist:`2025-49177`,
+   :cve_nist:`2025-49178`, :cve_nist:`2025-49179` and :cve_nist:`2025-49180`
+
+
+Fixes in Yocto-4.0.30
+~~~~~~~~~~~~~~~~~~~~~
+
+-  build-appliance-image: Update to kirkstone head revision
+-  default-distrovars.inc: Fix CONNECTIVITY_CHECK_URIS redirect issue
+-  dev-manual/security-subjects.rst: update mailing lists
+-  gnupg: disable tests to avoid running target binaries at build time
+-  go-helloworld: fix license
+-  insane: Ensure that `src-uri-bad` fails correctly
+-  insane: Improve patch warning/error handling
+-  libubootenv: backport patch to fix unknown type name 'size_t'
+-  llvm: fix typo in CVE-2024-0151.patch
+-  migration-guides: add release notes for 4.0.29
+-  overview-manual/yp-intro.rst: fix broken link to article
+-  poky.conf: bump version for 4.0.30
+-  pulseaudio: Add audio group explicitly
+-  ref-manual/classes.rst: document the testexport class
+-  ref-manual/system-requirements.rst: update supported distributions
+-  ref-manual/variables.rst: document :term:`FIT_CONF_PREFIX` :term:`SPL_DTB_BINARY` variable
+-  ref-manual/variables.rst: expand :term:`IMAGE_OVERHEAD_FACTOR` glossary entry
+-  sdk: The main in the C example should return an int
+-  sudo: remove devtool FIXME comment
+-  systemd: Fix manpage build after :cve_nist:`2025-4598`
+-  vim: not adjust script pathnames for native scripts either
+-  vim: upgrade to 9.1.1652
+
+
+Known Issues in Yocto-4.0.30
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+- N/A
+
+Contributors to Yocto-4.0.30
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+-  Antonin Godard
+-  Archana Polampalli
+-  Dan McGregor
+-  Deepak Rathore
+-  Divya Chellam
+-  Erik Lindsten
+-  Guocai He
+-  Gyorgy Sarvari
+-  Hitendra Prajapati
+-  Jan Vermaete
+-  Jiaying Song
+-  Joao Marcos Costa
+-  Kyungjik Min
+-  Lee Chee Yang
+-  Mingli Yu
+-  Peter Marko
+-  Philip Lorenz
+-  Praveen Kumar
+-  Quentin Schulz
+-  Richard Purdie
+-  Steve Sakoman
+-  Vijay Anusuri
+-  Yogita Urade
+-  Youngseok Jeong
+
+
+Repositories / Downloads for Yocto-4.0.30
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+poky
+
+-  Repository Location: :yocto_git:`/poky`
+-  Branch: :yocto_git:`kirkstone </poky/log/?h=kirkstone>`
+-  Tag:  :yocto_git:`yocto-4.0.30 </poky/log/?h=yocto-4.0.30>`
+-  Git Revision: :yocto_git:`51dc9c464de0703bfbc6f1ee71ac9bea20933a45 </poky/commit/?id=51dc9c464de0703bfbc6f1ee71ac9bea20933a45>`
+-  Release Artefact: poky-51dc9c464de0703bfbc6f1ee71ac9bea20933a45
+-  sha: 2b5db0a07598df7684975c0839e6f31515a8e78d366503feb9917ef1ca56c0b2
+-  Download Locations:
+   https://downloads.yoctoproject.org/releases/yocto/yocto-4.0.30/poky-51dc9c464de0703bfbc6f1ee71ac9bea20933a45.tar.bz2
+   https://mirrors.kernel.org/yocto/yocto/yocto-4.0.30/poky-51dc9c464de0703bfbc6f1ee71ac9bea20933a45.tar.bz2
+
+openembedded-core
+
+-  Repository Location: :oe_git:`/openembedded-core`
+-  Branch: :oe_git:`kirkstone </openembedded-core/log/?h=kirkstone>`
+-  Tag:  :oe_git:`yocto-4.0.30 </openembedded-core/log/?h=yocto-4.0.30>`
+-  Git Revision: :oe_git:`d381eeb5e70bd0ce9e78032c909e4a23564f4dd7 </openembedded-core/commit/?id=d381eeb5e70bd0ce9e78032c909e4a23564f4dd7>`
+-  Release Artefact: oecore-d381eeb5e70bd0ce9e78032c909e4a23564f4dd7
+-  sha: 022ab4ef5ac59ac3f01a9dacd8b1d6310cc117c6bed2e86e195ced88e0689c85
+-  Download Locations:
+   https://downloads.yoctoproject.org/releases/yocto/yocto-4.0.30/oecore-d381eeb5e70bd0ce9e78032c909e4a23564f4dd7.tar.bz2
+   https://mirrors.kernel.org/yocto/yocto/yocto-4.0.30/oecore-d381eeb5e70bd0ce9e78032c909e4a23564f4dd7.tar.bz2
+
+meta-mingw
+
+-  Repository Location: :yocto_git:`/meta-mingw`
+-  Branch: :yocto_git:`kirkstone </meta-mingw/log/?h=kirkstone>`
+-  Tag:  :yocto_git:`yocto-4.0.30 </meta-mingw/log/?h=yocto-4.0.30>`
+-  Git Revision: :yocto_git:`87c22abb1f11be430caf4372e6b833dc7d77564e </meta-mingw/commit/?id=87c22abb1f11be430caf4372e6b833dc7d77564e>`
+-  Release Artefact: meta-mingw-87c22abb1f11be430caf4372e6b833dc7d77564e
+-  sha: f0bc4873e2e0319fb9d6d6ab9b98eb3f89664d4339a167d2db6a787dd12bc1a8
+-  Download Locations:
+   https://downloads.yoctoproject.org/releases/yocto/yocto-4.0.30/meta-mingw-87c22abb1f11be430caf4372e6b833dc7d77564e.tar.bz2
+   https://mirrors.kernel.org/yocto/yocto/yocto-4.0.30/meta-mingw-87c22abb1f11be430caf4372e6b833dc7d77564e.tar.bz2
+
+meta-gplv2
+
+-  Repository Location: :yocto_git:`/meta-gplv2`
+-  Branch: :yocto_git:`kirkstone </meta-gplv2/log/?h=kirkstone>`
+-  Tag:  :yocto_git:`yocto-4.0.30 </meta-gplv2/log/?h=yocto-4.0.30>`
+-  Git Revision: :yocto_git:`d2f8b5cdb285b72a4ed93450f6703ca27aa42e8a </meta-gplv2/commit/?id=d2f8b5cdb285b72a4ed93450f6703ca27aa42e8a>`
+-  Release Artefact: meta-gplv2-d2f8b5cdb285b72a4ed93450f6703ca27aa42e8a
+-  sha: c386f59f8a672747dc3d0be1d4234b6039273d0e57933eb87caa20f56b9cca6d
+-  Download Locations:
+   https://downloads.yoctoproject.org/releases/yocto/yocto-4.0.30/meta-gplv2-d2f8b5cdb285b72a4ed93450f6703ca27aa42e8a.tar.bz2
+   https://mirrors.kernel.org/yocto/yocto/yocto-4.0.30/meta-gplv2-d2f8b5cdb285b72a4ed93450f6703ca27aa42e8a.tar.bz2
+
+bitbake
+
+-  Repository Location: :oe_git:`/bitbake`
+-  Branch: :oe_git:`2.0 </bitbake/log/?h=2.0>`
+-  Tag:  :oe_git:`yocto-4.0.30 </bitbake/log/?h=yocto-4.0.30>`
+-  Git Revision: :oe_git:`8e2d1f8de055549b2101614d85454fcd1d0f94b2 </bitbake/commit/?id=8e2d1f8de055549b2101614d85454fcd1d0f94b2>`
+-  Release Artefact: bitbake-8e2d1f8de055549b2101614d85454fcd1d0f94b2
+-  sha: fad4e7699bae62082118e89785324b031b0af0743064caee87c91ba28549afb0
+-  Download Locations:
+   https://downloads.yoctoproject.org/releases/yocto/yocto-4.0.30/bitbake-8e2d1f8de055549b2101614d85454fcd1d0f94b2.tar.bz2
+   https://mirrors.kernel.org/yocto/yocto/yocto-4.0.30/bitbake-8e2d1f8de055549b2101614d85454fcd1d0f94b2.tar.bz2
+
+meta-yocto
+
+-  Repository Location: :yocto_git:`/meta-yocto`
+-  Branch: :yocto_git:`kirkstone </meta-yocto/log/?h=kirkstone>`
+-  Tag: :yocto_git:`yocto-4.0.30 </meta-yocto/log/?h=yocto-4.0.30>`
+-  Git Revision: :yocto_git:`edf7950e4d81dd31f29a58acdd8022dabd2be494 </meta-yocto/commit/?id=edf7950e4d81dd31f29a58acdd8022dabd2be494>`
+
+yocto-docs
+
+-  Repository Location: :yocto_git:`/yocto-docs`
+-  Branch: :yocto_git:`kirkstone </yocto-docs/log/?h=kirkstone>`
+-  Tag: :yocto_git:`yocto-4.0.30 </yocto-docs/log/?h=yocto-4.0.30>`
+-  Git Revision: :yocto_git:`71a3933c609ce73ff07e5be48d9e7b03f22ef8d7 </yocto-docs/commit/?id=71a3933c609ce73ff07e5be48d9e7b03f22ef8d7>`
+

documentation/migration-guides/release-notes-4.0.31.rst

@@ -0,0 +1,210 @@
+Release notes for Yocto-4.0.31 (Kirkstone)
+------------------------------------------
+
+Security Fixes in Yocto-4.0.31
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+-  binutils: Fix :cve_nist:`2025-8225`, :cve_nist:`2025-11081`, :cve_nist:`2025-11082` and
+   :cve_nist:`2025-11083`
+-  busybox: Fix :cve_nist:`2025-46394`
+-  cmake: Fix :cve_nist:`2025-9301`
+-  curl: Fix :cve_nist:`2025-9086`
+-  ffmpeg: Ignore :cve_nist:`2023-6603`
+-  ffmpeg: mark :cve_nist:`2023-6601` as Fixed
+-  ghostscript: Fix :cve_nist:`2025-59798`, :cve_nist:`2025-59799` and :cve_nist:`2025-59800`
+-  git: Fix :cve_nist:`2025-48386`
+-  glib-networking: Fix :cve_nist:`2025-60018` and :cve_nist:`2025-60019`
+-  go: Fix :cve_nist:`2025-47906` and :cve_nist:`2025-47907`
+-  grub2: Fix :cve_nist:`2024-56738`
+-  grub: Ignore :cve_nist:`2024-2312`
+-  gstreamer1.0-plugins-bad: Fix :cve_nist:`2025-3887`
+-  gstreamer1.0: Ignore :cve_nist:`2025-2759`, :cve_nist:`2025-3887`, :cve_nist:`2025-47183`,
+   :cve_nist:`2025-47219`, :cve_nist:`2025-47806`, :cve_nist:`2025-47807` and :cve_nist:`2025-47808`
+-  python3-jinja2: Fix :cve_nist:`2024-56201`, :cve_nist:`2024-56326` and :cve_nist:`2025-27516`
+-  libxml2: Fix :cve_nist:`2025-9714`
+-  libxslt: Fix :cve_nist:`2025-7424`
+-  lz4: Fix :cve_nist:`2025-62813`
+-  openssl: Fix :cve_nist:`2025-9230` and :cve_nist:`2025-9232`
+-  pulseaudio: Ignore :cve_nist:`2024-11586`
+-  python3: Fix :cve_nist:`2024-6345`, :cve_nist:`2025-47273` and :cve_nist:`2025-59375`
+-  qemu: Fix :cve_nist:`2024-8354`
+-  tiff: Fix :cve_nist:`2025-8961`, :cve_nist:`2025-9165` and :cve_nist:`2025-9900`
+-  vim: Fix :cve_nist:`2025-9389`
+
+
+Fixes in Yocto-4.0.31
+~~~~~~~~~~~~~~~~~~~~~
+
+-  build-appliance-image: Update to kirkstone head revision
+-  poky.conf: bump version for 4.0.31
+-  ref-manual/classes.rst: document the relative_symlinks class
+-  ref-manual/classes.rst: gettext: extend the documentation of the class
+-  ref-manual/variables.rst: document the CCACHE_DISABLE, UNINATIVE_CHECKSUM, UNINATIVE_URL, USE_NLS,
+   REQUIRED_COMBINED_FEATURES, REQUIRED_IMAGE_FEATURES, :term:`REQUIRED_MACHINE_FEATURES` variable
+-  ref-manual/variables.rst: fix :term:`LAYERDEPENDS` description
+-  dev-manual, test-manual: Update autobuilder output links
+-  ref-manual/classes.rst: extend the uninative class documentation
+-  python3: upgrade to 3.10.19
+-  linux-yocto/5.15: update to v5.15.194
+-  glibc: : PTHREAD_COND_INITIALIZER compatibility with pre-2.41 versions (bug 32786)
+-  glibc: nptl Use all of g1_start and g_signals
+-  glibc: nptl rename __condvar_quiesce_and_switch_g1
+-  glibc: nptl Fix indentation
+-  glibc: nptl Use a single loop in pthread_cond_wait instaed of a nested loop
+-  glibc: Remove g_refs from condition variables
+-  glibc: nptl Remove unnecessary quadruple check in pthread_cond_wait
+-  glibc: nptl Remove unnecessary catch-all-wake in condvar group switch
+-  glibc: nptl Update comments and indentation for new condvar implementation
+-  glibc: pthreads NPTL lost wakeup fix 2
+-  glibc: Remove partial BZ#25847 backport patches
+-  vulnerabilities: update nvdcve file name
+-  migration-guides: add release notes for 4.0.30
+-  oeqa/sdk/cases/buildcpio.py: use gnu mirror instead of main server
+-  selftest/cases/meta_ide.py: use use gnu mirror instead of main server
+-  conf/bitbake.conf: use gnu mirror instead of main server
+-  p11-kit: backport fix for handle :term:`USE_NLS` from master
+-  systemd: backport fix for handle :term:`USE_NLS` from master
+-  glibc: stable 2.35 branch updates
+-  openssl: upgrade to 3.0.18
+-  scripts/install-buildtools: Update to 4.0.30
+-  ref-manual/variables.rst: fix the description of :term:`STAGING_DIR`
+-  ref-manual/structure: document the auto.conf file
+-  dev-manual/building.rst: add note about externalsrc variables absolute paths
+-  ref-manual/variables.rst: fix the description of :term:`KBUILD_DEFCONFIG`
+-  kernel-dev/common.rst: fix the in-tree defconfig description
+-  test-manual/yocto-project-compatible.rst: fix a typo
+-  contributor-guide: submit-changes: make "Crediting contributors" part of "Commit your changes"
+-  contributor-guide: submit-changes: number instruction list in commit your changes
+-  contributor-guide: submit-changes: reword commit message instructions
+-  contributor-guide: submit-changes: make the Cc tag follow kernel guidelines
+-  contributor-guide: submit-changes: align :term:`CC` tag description
+-  contributor-guide: submit-changes: clarify example with Yocto bug ID
+-  contributor-guide: submit-changes: fix improper bold string
+-  libhandy: update git branch name
+-  python3-jinja2: upgrade to 3.1.6
+-  vim: upgrade to 9.1.1683
+
+
+Known Issues in Yocto-4.0.31
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+- N/A
+
+
+Contributors to Yocto-4.0.31
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+-  Adam Blank
+-  Aleksandar Nikolic
+-  Antonin Godard
+-  Archana Polampalli
+-  AshishKumar Mishra
+-  Bruce Ashfield
+-  Deepesh Varatharajan
+-  Divya Chellam
+-  Gyorgy Sarvari
+-  Hitendra Prajapati
+-  João Marcos Costa
+-  Lee Chee Yang
+-  Paul Barker
+-  Peter Marko
+-  Praveen Kumar
+-  Quentin Schulz
+-  Rajeshkumar Ramasamy
+-  Saravanan
+-  Soumya Sambu
+-  Steve Sakoman
+-  Sunil Dora
+-  Talel BELHAJ SALEM
+-  Theo GAIGE
+-  Vijay Anusuri
+-  Yash Shinde
+-  Yogita Urade
+
+Repositories / Downloads for Yocto-4.0.31
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+yocto-docs
+
+-  Repository Location: :yocto_git:`/yocto-docs`
+-  Branch: :yocto_git:`kirkstone </yocto-docs/log/?h=kirkstone>`
+-  Tag:  :yocto_git:`yocto-4.0.31 </yocto-docs/log/?h=yocto-4.0.31>`
+-  Git Revision: :yocto_git:`073f3bca4c374b03398317e7f445d2440a287741 </yocto-docs/commit/?id=073f3bca4c374b03398317e7f445d2440a287741>`
+-  Release Artefact: yocto-docs-073f3bca4c374b03398317e7f445d2440a287741
+-  sha: 3bfde9b6ad310dd42817509b67f61cd69552f74b2bc5011bd20788fe96d6823b
+-  Download Locations:
+   https://downloads.yoctoproject.org/releases/yocto/yocto-4.0.31/yocto-docs-073f3bca4c374b03398317e7f445d2440a287741.tar.bz2
+   https://mirrors.edge.kernel.org/yocto/yocto/yocto-4.0.31/yocto-docs-073f3bca4c374b03398317e7f445d2440a287741.tar.bz2
+
+poky
+
+-  Repository Location: :yocto_git:`/poky`
+-  Branch: :yocto_git:`kirkstone </poky/log/?h=kirkstone>`
+-  Tag:  :yocto_git:`yocto-4.0.31 </poky/log/?h=yocto-4.0.31>`
+-  Git Revision: :yocto_git:`04b39e5b7eb19498215d85c88a5fffb460fea1eb </poky/commit/?id=04b39e5b7eb19498215d85c88a5fffb460fea1eb>`
+-  Release Artefact: poky-04b39e5b7eb19498215d85c88a5fffb460fea1eb
+-  sha: 0ca18ab1ed25c0d77412ba30dbb03d74811756c7c2fe2401940f848a5e734930
+-  Download Locations:
+   https://downloads.yoctoproject.org/releases/yocto/yocto-4.0.31/poky-04b39e5b7eb19498215d85c88a5fffb460fea1eb.tar.bz2
+   https://mirrors.edge.kernel.org/yocto/yocto/yocto-4.0.31/poky-04b39e5b7eb19498215d85c88a5fffb460fea1eb.tar.bz2
+
+openembedded-core
+
+-  Repository Location: :oe_git:`/openembedded-core`
+-  Branch: :oe_git:`kirkstone </openembedded-core/log/?h=kirkstone>`
+-  Tag:  :oe_git:`yocto-4.0.31 </openembedded-core/log/?h=yocto-4.0.31>`
+-  Git Revision: :oe_git:`99204008786f659ab03538cd2ae2fd23ed4164c5 </openembedded-core/commit/?id=99204008786f659ab03538cd2ae2fd23ed4164c5>`
+-  Release Artefact: oecore-99204008786f659ab03538cd2ae2fd23ed4164c5
+-  sha: aa97bf826ad217b3a5278b4ad60bef4d194f0f1ff617677cf2323d3cc4897687
+-  Download Locations:
+   https://downloads.yoctoproject.org/releases/yocto/yocto-4.0.31/oecore-99204008786f659ab03538cd2ae2fd23ed4164c5.tar.bz2
+   https://mirrors.edge.kernel.org/yocto/yocto/yocto-4.0.31/oecore-99204008786f659ab03538cd2ae2fd23ed4164c5.tar.bz2
+
+meta-yocto
+
+-  Repository Location: :yocto_git:`/meta-yocto`
+-  Branch: :yocto_git:`kirkstone </meta-yocto/log/?h=kirkstone>`
+-  Tag:  :yocto_git:`yocto-4.0.31 </meta-yocto/log/?h=yocto-4.0.31>`
+-  Git Revision: :yocto_git:`3b2df00345b46479237fe0218675a818249f891c </meta-yocto/commit/?id=3b2df00345b46479237fe0218675a818249f891c>`
+-  Release Artefact: meta-yocto-3b2df00345b46479237fe0218675a818249f891c
+-  sha: 630e99e0f515bab8a316b2e32aff1352b4404f15aa087e8821b84093596a08ce
+-  Download Locations:
+   https://downloads.yoctoproject.org/releases/yocto/yocto-4.0.31/meta-yocto-3b2df00345b46479237fe0218675a818249f891c.tar.bz2
+   https://mirrors.edge.kernel.org/yocto/yocto/yocto-4.0.31/meta-yocto-3b2df00345b46479237fe0218675a818249f891c.tar.bz2
+
+meta-mingw
+
+-  Repository Location: :yocto_git:`/meta-mingw`
+-  Branch: :yocto_git:`kirkstone </meta-mingw/log/?h=kirkstone>`
+-  Tag:  :yocto_git:`yocto-4.0.31 </meta-mingw/log/?h=yocto-4.0.31>`
+-  Git Revision: :yocto_git:`87c22abb1f11be430caf4372e6b833dc7d77564e </meta-mingw/commit/?id=87c22abb1f11be430caf4372e6b833dc7d77564e>`
+-  Release Artefact: meta-mingw-87c22abb1f11be430caf4372e6b833dc7d77564e
+-  sha: f0bc4873e2e0319fb9d6d6ab9b98eb3f89664d4339a167d2db6a787dd12bc1a8
+-  Download Locations:
+   https://downloads.yoctoproject.org/releases/yocto/yocto-4.0.31/meta-mingw-87c22abb1f11be430caf4372e6b833dc7d77564e.tar.bz2
+   https://mirrors.edge.kernel.org/yocto/yocto/yocto-4.0.31/meta-mingw-87c22abb1f11be430caf4372e6b833dc7d77564e.tar.bz2
+
+meta-gplv2
+
+-  Repository Location: :yocto_git:`/meta-gplv2`
+-  Branch: :yocto_git:`kirkstone </meta-gplv2/log/?h=kirkstone>`
+-  Tag:  :yocto_git:`yocto-4.0.31 </meta-gplv2/log/?h=yocto-4.0.31>`
+-  Git Revision: :yocto_git:`d2f8b5cdb285b72a4ed93450f6703ca27aa42e8a </meta-gplv2/commit/?id=d2f8b5cdb285b72a4ed93450f6703ca27aa42e8a>`
+-  Release Artefact: meta-gplv2-d2f8b5cdb285b72a4ed93450f6703ca27aa42e8a
+-  sha: c386f59f8a672747dc3d0be1d4234b6039273d0e57933eb87caa20f56b9cca6d
+-  Download Locations:
+   https://downloads.yoctoproject.org/releases/yocto/yocto-4.0.31/meta-gplv2-d2f8b5cdb285b72a4ed93450f6703ca27aa42e8a.tar.bz2
+   https://mirrors.edge.kernel.org/yocto/yocto/yocto-4.0.31/meta-gplv2-d2f8b5cdb285b72a4ed93450f6703ca27aa42e8a.tar.bz2
+
+bitbake
+
+-  Repository Location: :oe_git:`/bitbake`
+-  Branch: :oe_git:`2.0 </bitbake/log/?h=2.0>`
+-  Tag:  :oe_git:`yocto-4.0.31 </bitbake/log/?h=yocto-4.0.31>`
+-  Git Revision: :oe_git:`8e2d1f8de055549b2101614d85454fcd1d0f94b2 </bitbake/commit/?id=8e2d1f8de055549b2101614d85454fcd1d0f94b2>`
+-  Release Artefact: bitbake-8e2d1f8de055549b2101614d85454fcd1d0f94b2
+-  sha: fad4e7699bae62082118e89785324b031b0af0743064caee87c91ba28549afb0
+-  Download Locations:
+   https://downloads.yoctoproject.org/releases/yocto/yocto-4.0.31/bitbake-8e2d1f8de055549b2101614d85454fcd1d0f94b2.tar.bz2
+   https://mirrors.edge.kernel.org/yocto/yocto/yocto-4.0.31/bitbake-8e2d1f8de055549b2101614d85454fcd1d0f94b2.tar.bz2
+

documentation/migration-guides/release-notes-4.0.32.rst

@@ -0,0 +1,194 @@
+Release notes for Yocto-4.0.32 (Kirkstone)
+------------------------------------------
+
+Security Fixes in Yocto-4.0.32
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+-  bind: Fix :cve_nist:`2025-8677`, :cve_nist:`2025-40778` and :cve_nist:`2025-40780`
+-  binutils: Fix :cve_nist:`2025-11412` and :cve_nist:`2025-11413`
+-  curl: Ignore :cve_nist:`2025-10966`
+-  elfutils: Fix :cve_nist:`2025-1376` and :cve_nist:`2025-1377`
+-  gnutls: Fix :cve_nist:`2025-9820`
+-  go: Fix :cve_nist:`2024-24783`, :cve_nist:`2025-58187`, :cve_nist:`2025-58189`,
+   :cve_nist:`2025-61723` and :cve_nist:`2025-61724`
+-  libarchive: Fix :cve_nist:`2025-60753`
+-  libarchive: Fix 2 security issue (https://github.com/libarchive/libarchive/pull/2753 and
+   https://github.com/libarchive/libarchive/pull/2768)
+-  libpng: Fix :cve_nist:`2025-64505`, :cve_nist:`2025-64506`, :cve_nist:`2025-64720`,
+   :cve_nist:`2025-65018` and :cve_nist:`2025-66293`
+-  libxml2: Fix :cve_nist:`2025-7425`
+-  musl: Fix :cve_nist:`2025-26519`
+-  openssh: Fix :cve_nist:`2025-61984` and :cve_nist:`2025-61985`
+-  python3-idna: Fix :cve_nist:`2024-3651`
+-  python3-urllib3: Fix :cve_nist:`2024-37891`
+-  python3: fix :cve_nist:`2025-6075`
+-  ruby: Fix :cve_nist:`2024-35176`, :cve_nist:`2024-39908` and :cve_nist:`2024-41123`
+-  rust-cross-canadian: Ignore :cve_nist:`2024-43402`
+-  u-boot: Fix :cve_nist:`2024-42040`
+-  wpa-supplicant: Fix :cve_nist:`2025-24912`
+-  xserver-xorg: Fix :cve_nist:`2025-62229`, :cve_nist:`2025-62230` and :cve_nist:`2025-62231`
+-  xwayland: Fix :cve_nist:`2025-62229`, :cve_nist:`2025-62230` and :cve_nist:`2025-62231`
+
+
+Fixes in Yocto-4.0.32
+~~~~~~~~~~~~~~~~~~~~~
+
+-  babeltrace2: fetch with https protocol
+-  bind: upgrade to 9.18.41
+-  build-appliance-image: Update to kirkstone head revision
+-  dev-manual/layers.rst: document "bitbake-layers show-machines"
+-  dev-manual/new-recipe.rst: replace 'bitbake -e' with 'bitbake-getvar'
+-  dev-manual/new-recipe.rst: typo, "whith" -> "which"
+-  dev-manual/new-recipe.rst: update "recipetool -h" output
+-  dev-manual: debugging: use bitbake-getvar in Viewing Variable Values section
+-  documentation: link to the Releases page on yoctoproject.org instead of wiki
+-  efibootmgr: update :term:`SRC_URI` branch
+-  flac: patch seeking bug
+-  goarch.bbclass: do not leak :term:`TUNE_FEATURES` into crosssdk task signatures
+-  kernel-dev: add disable config example
+-  kernel-dev: common: migrate bitbake -e to bitbake-getvar
+-  libmicrohttpd: disable experimental code by default
+-  migration-guides: add release notes for 4.0.31
+-  oe-build-perf-report: relax metadata matching rules
+-  overview-manual: migrate to SVG + fix typo
+-  poky.conf: bump version for 4.0.32
+-  python3-urllib3: upgrade to 1.26.20
+-  recipes: Don't use ftp.gnome.org
+-  ref-manual: variables: migrate the :term:`OVERRIDES` note to bitbake-getvar
+-  systemd-bootchart: update :term:`SRC_URI` branch
+-  xf86-video-intel: correct :term:`SRC_URI` as freedesktop anongit is down
+
+
+Known Issues in Yocto-4.0.32
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+- N/A
+
+
+Contributors to Yocto-4.0.32
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Thanks to the following people who contributed to this release:
+
+-  Alexander Kanavin
+-  Archana Polampalli
+-  Divya Chellam
+-  Gyorgy Sarvari
+-  Hitendra Prajapati
+-  Hongxu Jia
+-  Jason Schonberg
+-  Lee Chee Yang
+-  Peter Marko
+-  Praveen Kumar
+-  Quentin Schulz
+-  Richard Purdie
+-  Robert P. J. Day
+-  Ross Burton
+-  Saquib Iltaf
+-  Soumya Sambu
+-  Steve Sakoman
+-  Vijay Anusuri
+-  Walter Werner SCHNEIDER
+
+
+Repositories / Downloads for Yocto-4.0.32
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+yocto-docs
+
+-  Repository Location: :yocto_git:`/yocto-docs`
+-  Branch: :yocto_git:`kirkstone </yocto-docs/log/?h=kirkstone>`
+-  Tag:  :yocto_git:`yocto-4.0.32 </yocto-docs/log/?h=yocto-4.0.32>`
+-  Git Revision: :yocto_git:`4b9df539fa06fb19ed8b51ef2d46e5c56779de81 </yocto-docs/commit/?id=4b9df539fa06fb19ed8b51ef2d46e5c56779de81>`
+-  Release Artefact: yocto-docs-4b9df539fa06fb19ed8b51ef2d46e5c56779de81
+-  sha: 70ee2caf576683c5f31ac5a592cde1c0650ece25cfcd5ff3cc7eedf531575611
+-  Download Locations:
+
+   https://downloads.yoctoproject.org/releases/yocto/yocto-4.0.32/yocto-docs-4b9df539fa06fb19ed8b51ef2d46e5c56779de81.tar.bz2
+
+   https://mirrors.edge.kernel.org/yocto/yocto/yocto-4.0.32/yocto-docs-4b9df539fa06fb19ed8b51ef2d46e5c56779de81.tar.bz2
+
+poky
+
+-  Repository Location: :yocto_git:`/poky`
+-  Branch: :yocto_git:`kirkstone </poky/log/?h=kirkstone>`
+-  Tag:  :yocto_git:`yocto-4.0.32 </poky/log/?h=yocto-4.0.32>`
+-  Git Revision: :yocto_git:`2c05660b21c7cc1082aeac8b75d8a2d82e249f63 </poky/commit/?id=2c05660b21c7cc1082aeac8b75d8a2d82e249f63>`
+-  Release Artefact: poky-2c05660b21c7cc1082aeac8b75d8a2d82e249f63
+-  sha: d7a55a18a597a7b140a81586b7ca6379c208ebbb3285de36c48fde10882947d8
+-  Download Locations:
+
+   https://downloads.yoctoproject.org/releases/yocto/yocto-4.0.32/poky-2c05660b21c7cc1082aeac8b75d8a2d82e249f63.tar.bz2
+
+   https://mirrors.edge.kernel.org/yocto/yocto/yocto-4.0.32/poky-2c05660b21c7cc1082aeac8b75d8a2d82e249f63.tar.bz2
+
+openembedded-core
+
+-  Repository Location: :oe_git:`/openembedded-core`
+-  Branch: :oe_git:`kirkstone </openembedded-core/log/?h=kirkstone>`
+-  Tag:  :oe_git:`yocto-4.0.32 </openembedded-core/log/?h=yocto-4.0.32>`
+-  Git Revision: :oe_git:`2ed3f8b938579dbbb804e04c45a968cc57761db7 </openembedded-core/commit/?id=2ed3f8b938579dbbb804e04c45a968cc57761db7>`
+-  Release Artefact: oecore-2ed3f8b938579dbbb804e04c45a968cc57761db7
+-  sha: 11b9632586dfbf3f0ef69eca2014a8002f25ca8d53cfe9424e27361ba3a20831
+-  Download Locations:
+
+   https://downloads.yoctoproject.org/releases/yocto/yocto-4.0.32/oecore-2ed3f8b938579dbbb804e04c45a968cc57761db7.tar.bz2
+
+   https://mirrors.edge.kernel.org/yocto/yocto/yocto-4.0.32/oecore-2ed3f8b938579dbbb804e04c45a968cc57761db7.tar.bz2
+
+meta-yocto
+
+-  Repository Location: :yocto_git:`/meta-yocto`
+-  Branch: :yocto_git:`kirkstone </meta-yocto/log/?h=kirkstone>`
+-  Tag:  :yocto_git:`yocto-4.0.32 </meta-yocto/log/?h=yocto-4.0.32>`
+-  Git Revision: :yocto_git:`77b40877c179ea3ce5c37c7ba1831e9c0e289266 </meta-yocto/commit/?id=77b40877c179ea3ce5c37c7ba1831e9c0e289266>`
+-  Release Artefact: meta-yocto-77b40877c179ea3ce5c37c7ba1831e9c0e289266
+-  sha: e908d42690881cd6e07b9ca18a21eb8761a0ec72d940b12905622e75ba913974
+-  Download Locations:
+
+   https://downloads.yoctoproject.org/releases/yocto/yocto-4.0.32/meta-yocto-77b40877c179ea3ce5c37c7ba1831e9c0e289266.tar.bz2
+
+   https://mirrors.edge.kernel.org/yocto/yocto/yocto-4.0.32/meta-yocto-77b40877c179ea3ce5c37c7ba1831e9c0e289266.tar.bz2
+
+meta-mingw
+
+-  Repository Location: :yocto_git:`/meta-mingw`
+-  Branch: :yocto_git:`kirkstone </meta-mingw/log/?h=kirkstone>`
+-  Tag:  :yocto_git:`yocto-4.0.32 </meta-mingw/log/?h=yocto-4.0.32>`
+-  Git Revision: :yocto_git:`87c22abb1f11be430caf4372e6b833dc7d77564e </meta-mingw/commit/?id=87c22abb1f11be430caf4372e6b833dc7d77564e>`
+-  Release Artefact: meta-mingw-87c22abb1f11be430caf4372e6b833dc7d77564e
+-  sha: f0bc4873e2e0319fb9d6d6ab9b98eb3f89664d4339a167d2db6a787dd12bc1a8
+-  Download Locations:
+
+   https://downloads.yoctoproject.org/releases/yocto/yocto-4.0.32/meta-mingw-87c22abb1f11be430caf4372e6b833dc7d77564e.tar.bz2
+
+   https://mirrors.edge.kernel.org/yocto/yocto/yocto-4.0.32/meta-mingw-87c22abb1f11be430caf4372e6b833dc7d77564e.tar.bz2
+
+meta-gplv2
+
+-  Repository Location: :yocto_git:`/meta-gplv2`
+-  Branch: :yocto_git:`kirkstone </meta-gplv2/log/?h=kirkstone>`
+-  Tag:  :yocto_git:`yocto-4.0.32 </meta-gplv2/log/?h=yocto-4.0.32>`
+-  Git Revision: :yocto_git:`d2f8b5cdb285b72a4ed93450f6703ca27aa42e8a </meta-gplv2/commit/?id=d2f8b5cdb285b72a4ed93450f6703ca27aa42e8a>`
+-  Release Artefact: meta-gplv2-d2f8b5cdb285b72a4ed93450f6703ca27aa42e8a
+-  sha: c386f59f8a672747dc3d0be1d4234b6039273d0e57933eb87caa20f56b9cca6d
+-  Download Locations:
+
+   https://downloads.yoctoproject.org/releases/yocto/yocto-4.0.32/meta-gplv2-d2f8b5cdb285b72a4ed93450f6703ca27aa42e8a.tar.bz2
+
+   https://mirrors.edge.kernel.org/yocto/yocto/yocto-4.0.32/meta-gplv2-d2f8b5cdb285b72a4ed93450f6703ca27aa42e8a.tar.bz2
+
+bitbake
+
+-  Repository Location: :oe_git:`/bitbake`
+-  Branch: :oe_git:`2.0 </bitbake/log/?h=2.0>`
+-  Tag:  :oe_git:`yocto-4.0.32 </bitbake/log/?h=yocto-4.0.32>`
+-  Git Revision: :oe_git:`8e2d1f8de055549b2101614d85454fcd1d0f94b2 </bitbake/commit/?id=8e2d1f8de055549b2101614d85454fcd1d0f94b2>`
+-  Release Artefact: bitbake-8e2d1f8de055549b2101614d85454fcd1d0f94b2
+-  sha: fad4e7699bae62082118e89785324b031b0af0743064caee87c91ba28549afb0
+-  Download Locations:
+
+   https://downloads.yoctoproject.org/releases/yocto/yocto-4.0.32/bitbake-8e2d1f8de055549b2101614d85454fcd1d0f94b2.tar.bz2
+
+   https://mirrors.edge.kernel.org/yocto/yocto/yocto-4.0.32/bitbake-8e2d1f8de055549b2101614d85454fcd1d0f94b2.tar.bz2
+

documentation/overview-manual/concepts.rst

@@ -165,7 +165,7 @@ The following diagram represents the high-level workflow of a build. The
 remainder of this section expands on the fundamental input, output,
 process, and metadata logical blocks that make up the workflow.
 
-.. image:: figures/YP-flow-diagram.png
+.. image:: svg/yp-flow-diagram.*
    :align: center
 
 In general, the build's workflow consists of several functional areas:
@@ -983,7 +983,7 @@ package.
 
   For more information on the ``oe-pkgdata-util`` utility, see the section
   :ref:`dev-manual/debugging:Viewing Package Information with
-  \`\`oe-pkgdata-util\`\`` of the Yocto Project Development Tasks Manual.
+  ``oe-pkgdata-util``` of the Yocto Project Development Tasks Manual.
 
 To add a custom package variant of the ``${PN}`` recipe named
 ``${PN}-extra`` (name is arbitrary), one can add it to the
@@ -2438,8 +2438,8 @@ The contents of ``sayhello_0.1.bb`` are::
    S = "${WORKDIR}/git"
 
    do_install(){
-      install -d ${D}/usr/bin
-      install -m 0700 sayhello ${D}/usr/bin
+      install -d ${D}${bindir}
+      install -m 0700 sayhello ${D}${bindir}
    }
 
 After placing the recipes in a custom layer we can run ``bitbake sayhello``

documentation/overview-manual/svg/key-dev-elements.svg

@@ -0,0 +1,172 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Created with Inkscape (http://www.inkscape.org/) -->
+
+<svg
+   width="164.765mm"
+   height="72.988113mm"
+   viewBox="0 0 164.765 72.988114"
+   version="1.1"
+   id="svg1"
+   xml:space="preserve"
+   inkscape:version="1.4.2 (ebf0e940d0, 2025-05-08)"
+   sodipodi:docname="key-dev-elements.svg"
+   xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
+   xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
+   xmlns="http://www.w3.org/2000/svg"
+   xmlns:svg="http://www.w3.org/2000/svg"><sodipodi:namedview
+     id="namedview1"
+     pagecolor="#ffffff"
+     bordercolor="#000000"
+     borderopacity="0.25"
+     inkscape:showpageshadow="false"
+     inkscape:pageopacity="0.0"
+     inkscape:pagecheckerboard="0"
+     inkscape:deskcolor="#d1d1d1"
+     inkscape:document-units="mm"
+     inkscape:zoom="1"
+     inkscape:cx="341.5"
+     inkscape:cy="-31.5"
+     inkscape:window-width="2560"
+     inkscape:window-height="1440"
+     inkscape:window-x="0"
+     inkscape:window-y="0"
+     inkscape:window-maximized="0"
+     inkscape:current-layer="layer2"
+     showborder="false"
+     borderlayer="false"
+     inkscape:antialias-rendering="true"
+     showguides="true" /><defs
+     id="defs1" /><g
+     inkscape:groupmode="layer"
+     id="layer2"
+     inkscape:label="Layer "
+     style="display:inline"
+     transform="translate(-20.664242,-129.6793)"><rect
+       style="display:inline;fill:#f1e9cc;fill-opacity:1;stroke:#6d8eb4;stroke-width:0.653;stroke-linecap:butt;stroke-linejoin:round;stroke-miterlimit:7.4;stroke-opacity:1;paint-order:fill markers stroke"
+       id="rect1"
+       width="164.112"
+       height="54.273098"
+       x="20.990742"
+       y="130.0058"
+       ry="0"
+       inkscape:label="yp-rect" /><rect
+       style="display:inline;fill:#f3d770;fill-opacity:1;stroke:#6d8eb4;stroke-width:0.653;stroke-linecap:butt;stroke-linejoin:round;stroke-miterlimit:7.4;stroke-opacity:1;paint-order:fill markers stroke"
+       id="rect2"
+       width="101.45864"
+       height="41.151588"
+       x="28.1292"
+       y="137.10953"
+       inkscape:label="poky-rect" /><rect
+       style="display:inline;fill:#c0ebf5;fill-opacity:1;stroke:#6d8eb4;stroke-width:0.653;stroke-linecap:butt;stroke-linejoin:round;stroke-miterlimit:7.4;stroke-opacity:1;paint-order:fill markers stroke"
+       id="rect3"
+       width="50.652737"
+       height="53.04562"
+       x="35.516178"
+       y="149.29529"
+       inkscape:label="oe-rect" /><text
+       xml:space="preserve"
+       style="font-style:normal;font-variant:normal;font-weight:bold;font-stretch:normal;font-size:4.23333px;font-family:'Liberation Sans';-inkscape-font-specification:'Liberation Sans, Bold';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-east-asian:normal;text-align:start;writing-mode:lr-tb;direction:ltr;text-anchor:start;white-space:pre;inline-size:46.7487;display:inline;fill:#000000;fill-opacity:1;stroke:#000000;stroke-width:0;stroke-linecap:butt;stroke-linejoin:round;stroke-miterlimit:7.4;stroke-dasharray:none;stroke-opacity:1;paint-order:fill markers stroke"
+       x="136.38763"
+       y="137.69727"
+       id="text3"
+       inkscape:label="poky-title"
+       transform="matrix(0.90889596,0,0,0.81399719,-26.072941,39.399474)"><tspan
+         x="136.38763"
+         y="137.69727"
+         id="tspan2">Poky</tspan></text><text
+       xml:space="preserve"
+       style="font-style:normal;font-variant:normal;font-weight:bold;font-stretch:normal;font-size:4.23333px;font-family:'Liberation Sans';-inkscape-font-specification:'Liberation Sans, Bold';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-east-asian:normal;text-align:start;writing-mode:lr-tb;direction:ltr;text-anchor:start;white-space:pre;inline-size:46.7487;display:inline;fill:#000000;fill-opacity:1;stroke:#000000;stroke-width:0;stroke-linecap:butt;stroke-linejoin:round;stroke-miterlimit:7.4;stroke-dasharray:none;stroke-opacity:1;paint-order:fill markers stroke"
+       x="136.38763"
+       y="137.69727"
+       id="text3-8"
+       inkscape:label="oe-title"
+       transform="matrix(0.90889596,0,0,0.81399719,-78.327995,83.175189)"><tspan
+         x="136.38763"
+         y="137.69727"
+         id="tspan4">OpenEmbedded</tspan></text><text
+       xml:space="preserve"
+       style="font-style:normal;font-variant:normal;font-weight:bold;font-stretch:normal;font-size:4.23333px;font-family:'Liberation Sans';-inkscape-font-specification:'Liberation Sans, Bold';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-east-asian:normal;text-align:start;writing-mode:lr-tb;direction:ltr;text-anchor:start;white-space:pre;inline-size:46.7487;display:inline;fill:#000000;fill-opacity:1;stroke:#000000;stroke-width:0;stroke-linecap:butt;stroke-linejoin:round;stroke-miterlimit:7.4;stroke-dasharray:none;stroke-opacity:1;paint-order:fill markers stroke"
+       x="136.38763"
+       y="137.69727"
+       id="text3-0"
+       inkscape:label="yp-title"
+       transform="matrix(0.8469291,0,0,0.81399719,21.497595,28.033837)"><tspan
+         x="136.38763"
+         y="137.69727"
+         id="tspan5">YOCTO PROJECT (YP)</tspan></text><text
+       xml:space="preserve"
+       style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:2.98347px;font-family:'Liberation Sans';-inkscape-font-specification:'Liberation Sans, Normal';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-east-asian:normal;text-align:start;writing-mode:lr-tb;direction:ltr;text-anchor:start;display:inline;fill:#000000;fill-opacity:1;stroke:#000000;stroke-width:0;stroke-linecap:butt;stroke-linejoin:round;stroke-miterlimit:7.4;stroke-dasharray:none;stroke-opacity:1;paint-order:fill markers stroke"
+       x="137.19444"
+       y="150.50006"
+       id="text4"
+       transform="scale(1.0050579,0.9949676)"
+       inkscape:label="yp-text"><tspan
+         sodipodi:role="line"
+         id="tspan3"
+         style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:2.98347px;font-family:'Liberation Sans';-inkscape-font-specification:'Liberation Sans, Normal';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-east-asian:normal;stroke-width:0"
+         x="137.19444"
+         y="150.50006">Umbrella Open Source Project</tspan><tspan
+         sodipodi:role="line"
+         style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:2.98347px;font-family:'Liberation Sans';-inkscape-font-specification:'Liberation Sans, Normal';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-east-asian:normal;stroke-width:0"
+         x="137.19444"
+         y="154.2294"
+         id="tspan6">that Builds and Maintains</tspan><tspan
+         sodipodi:role="line"
+         style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:2.98347px;font-family:'Liberation Sans';-inkscape-font-specification:'Liberation Sans, Normal';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-east-asian:normal;stroke-width:0"
+         x="137.19444"
+         y="157.95874"
+         id="tspan7">Validated Open Source Tools and</tspan><tspan
+         sodipodi:role="line"
+         style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:2.98347px;font-family:'Liberation Sans';-inkscape-font-specification:'Liberation Sans, Normal';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-east-asian:normal;stroke-width:0"
+         x="137.19444"
+         y="161.68808"
+         id="tspan8">Components Associated with</tspan><tspan
+         sodipodi:role="line"
+         style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:2.98347px;font-family:'Liberation Sans';-inkscape-font-specification:'Liberation Sans, Normal';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-east-asian:normal;stroke-width:0"
+         x="137.19444"
+         y="165.4174"
+         id="tspan9">Embedded Linux</tspan></text><text
+       xml:space="preserve"
+       style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:2.97078px;font-family:'Liberation Sans';-inkscape-font-specification:'Liberation Sans, Normal';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-east-asian:normal;text-align:start;writing-mode:lr-tb;direction:ltr;text-anchor:start;display:inline;fill:#000000;fill-opacity:1;stroke:#000000;stroke-width:0;stroke-linecap:butt;stroke-linejoin:round;stroke-miterlimit:7.4;stroke-dasharray:none;stroke-opacity:1;paint-order:fill markers stroke"
+       x="90.582634"
+       y="159.10139"
+       id="text10"
+       transform="scale(1.0018079,0.9981954)"
+       inkscape:label="poky-text"><tspan
+         sodipodi:role="line"
+         id="tspan10"
+         style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:2.97078px;font-family:'Liberation Sans';-inkscape-font-specification:'Liberation Sans, Normal';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-east-asian:normal;stroke-width:0"
+         x="90.582634"
+         y="159.10139">Yocto Project Open</tspan><tspan
+         sodipodi:role="line"
+         style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:2.97078px;font-family:'Liberation Sans';-inkscape-font-specification:'Liberation Sans, Normal';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-east-asian:normal;stroke-width:0"
+         x="90.582634"
+         y="162.81487"
+         id="tspan11">Source Reference</tspan><tspan
+         sodipodi:role="line"
+         style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:2.97078px;font-family:'Liberation Sans';-inkscape-font-specification:'Liberation Sans, Normal';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-east-asian:normal;stroke-width:0"
+         x="90.582634"
+         y="166.52835"
+         id="tspan12">Embedded Distribution</tspan></text><text
+       xml:space="preserve"
+       style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:3.01677px;font-family:'Liberation Sans';-inkscape-font-specification:'Liberation Sans, Normal';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-east-asian:normal;text-align:start;writing-mode:lr-tb;direction:ltr;text-anchor:start;display:inline;fill:#000000;fill-opacity:1;stroke:#000000;stroke-width:0;stroke-linecap:butt;stroke-linejoin:round;stroke-miterlimit:7.4;stroke-dasharray:none;stroke-opacity:1;paint-order:fill markers stroke"
+       x="40.36692"
+       y="160.98824"
+       id="text13"
+       transform="scale(0.99784993,1.0021547)"
+       inkscape:label="oe-text"><tspan
+         sodipodi:role="line"
+         id="tspan13"
+         style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:3.01677px;font-family:'Liberation Sans';-inkscape-font-specification:'Liberation Sans, Normal';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-east-asian:normal;stroke-width:0"
+         x="40.36692"
+         y="160.98824">Open Source Build Engine</tspan><tspan
+         sodipodi:role="line"
+         style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:3.01677px;font-family:'Liberation Sans';-inkscape-font-specification:'Liberation Sans, Normal';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-east-asian:normal;stroke-width:0"
+         x="40.36692"
+         y="164.7592"
+         id="tspan14">and YP-Compatible Metadata</tspan><tspan
+         sodipodi:role="line"
+         style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:3.01677px;font-family:'Liberation Sans';-inkscape-font-specification:'Liberation Sans, Normal';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-east-asian:normal;stroke-width:0"
+         x="40.36692"
+         y="168.53017"
+         id="tspan15">for Embedded Linux</tspan></text></g></svg>

documentation/overview-manual/svg/yp-flow-diagram.svg

@@ -0,0 +1,950 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Generator: Adobe Illustrator 13.0.2, SVG Export Plug-In . SVG Version: 6.00 Build 14948)  -->
+
+<svg
+   version="1.1"
+   id="Layer_1"
+   x="0px"
+   y="0px"
+   width="760.50098"
+   height="352.582"
+   viewBox="0 0 760.50095 352.582"
+   enable-background="new 0 0 758.189 424.276"
+   xml:space="preserve"
+   sodipodi:docname="yp-flow-diagram.svg"
+   inkscape:version="1.4.3 (0d15f75042, 2025-12-25)"
+   xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
+   xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
+   xmlns="http://www.w3.org/2000/svg"
+   xmlns:svg="http://www.w3.org/2000/svg"><defs
+   id="defs86">
+		
+	</defs><sodipodi:namedview
+   id="namedview86"
+   pagecolor="#ffffff"
+   bordercolor="#000000"
+   borderopacity="0.25"
+   inkscape:showpageshadow="2"
+   inkscape:pageopacity="0.0"
+   inkscape:pagecheckerboard="0"
+   inkscape:deskcolor="#d1d1d1"
+   inkscape:zoom="2.8284271"
+   inkscape:cx="296.80807"
+   inkscape:cy="212.83914"
+   inkscape:window-width="1906"
+   inkscape:window-height="934"
+   inkscape:window-x="0"
+   inkscape:window-y="0"
+   inkscape:window-maximized="0"
+   inkscape:current-layer="Layer_1" />
+<g
+   id="g17"
+   transform="matrix(1,0,0,1.0035497,-2.0824824,-11.037238)"><rect
+     style="opacity:1;fill:#00b6de;fill-opacity:1;stroke:#ff631a;stroke-width:0;stroke-linejoin:bevel;stroke-miterlimit:0;stroke-dasharray:none"
+     id="rect11"
+     width="484.25"
+     height="249"
+     x="90"
+     y="112.5" /><rect
+     style="fill:#00b6de;fill-opacity:1;stroke:#ff631a;stroke-width:0;stroke-linejoin:bevel;stroke-miterlimit:0;stroke-dasharray:none"
+     id="rect11-8"
+     width="12"
+     height="12"
+     x="507.56818"
+     y="-301.10004"
+     ry="0"
+     transform="rotate(44.313856)" /><rect
+     style="fill:#e6e6e6;fill-opacity:1;stroke:#ff631a;stroke-width:0;stroke-linejoin:bevel;stroke-miterlimit:0;stroke-dasharray:none"
+     id="rect11-8-1"
+     width="12"
+     height="12"
+     x="361.46231"
+     y="-89.463524"
+     ry="0"
+     transform="rotate(44.313856)" /><rect
+     style="fill:#e6e6e6;fill-opacity:1;stroke:#ff631a;stroke-width:0;stroke-linejoin:bevel;stroke-miterlimit:0;stroke-dasharray:none"
+     id="rect11-8-1-1"
+     width="12"
+     height="12"
+     x="389.40585"
+     y="-60.842598"
+     ry="0"
+     transform="rotate(44.313856)" /><rect
+     style="fill:#e6e6e6;fill-opacity:1;stroke:#ff631a;stroke-width:0;stroke-linejoin:bevel;stroke-miterlimit:0;stroke-dasharray:none"
+     id="rect11-8-1-1-0"
+     width="12"
+     height="12"
+     x="416.47607"
+     y="-33.116081"
+     ry="0"
+     transform="rotate(44.313856)" /></g><rect
+   style="fill:#e6e6e6;fill-opacity:1;stroke:#ff631a;stroke-width:0;stroke-linejoin:bevel;stroke-miterlimit:0;stroke-dasharray:none"
+   id="rect11-9"
+   width="87"
+   height="216"
+   x="193.91776"
+   y="119.24599" /><rect
+   style="fill:#e6e6e6;fill-opacity:1;stroke:#ff631a;stroke-width:0;stroke-linejoin:bevel;stroke-miterlimit:0;stroke-dasharray:none"
+   id="rect11-8-1-4"
+   width="12"
+   height="12"
+   x="487.27533"
+   y="-296.15897"
+   ry="0"
+   transform="rotate(44.313856)" /><rect
+   style="fill:#e6e6e6;fill-opacity:1;stroke:#ff631a;stroke-width:0;stroke-linejoin:bevel;stroke-miterlimit:0;stroke-dasharray:none"
+   id="rect11-9-3"
+   width="85.75"
+   height="219.75"
+   x="470.16751"
+   y="119.49599" /><g
+   id="g2"
+   transform="translate(2.3119996,-71.694)">
+	<g
+   id="g1">
+		<polygon
+   fill="#00b6de"
+   points="703.77,340.194 712.852,349.277 721.934,340.194 758.189,340.194 758.189,256.861 723.582,256.861 713.171,267.274 702.758,256.861 628.582,256.861 618.171,267.274 607.758,256.861 561.523,256.861 561.523,340.194 609.104,340.194 618.186,349.277 627.268,340.194 "
+   id="polygon1" />
+	</g>
+</g>
+<g
+   id="g4"
+   transform="translate(2.3119996,-71.694)">
+	<g
+   id="g3">
+		<polygon
+   fill="#e6e6e6"
+   points="712.837,278.274 707.221,272.658 676.557,272.658 676.557,333.657 706.983,333.657 713.055,339.729 719.128,333.657 751.557,333.657 751.557,272.658 718.452,272.658 "
+   id="polygon2" />
+	</g>
+</g>
+<g
+   id="g6"
+   transform="translate(2.3119996,-71.694)">
+	<g
+   id="g5">
+		<polygon
+   fill="#e6e6e6"
+   points="618.171,278.274 611.555,271.658 581.558,271.658 581.558,332.657 611.983,332.657 618.056,338.729 624.128,332.657 656.558,332.657 656.558,271.658 624.786,271.658 "
+   id="polygon4" />
+	</g>
+</g>
+<g
+   id="g8"
+   transform="translate(2.3119996,-71.694)"
+   style="fill:#000080">
+	<g
+   id="g7"
+   style="fill:#000080">
+		<polygon
+   fill="#ed1849"
+   points="722.166,349.277 712.504,358.941 702.84,349.277 670.523,349.277 670.523,424.276 757.523,424.276 757.523,349.277 "
+   id="polygon6"
+   style="fill:#000080" />
+	</g>
+</g>
+<g
+   id="g10"
+   transform="translate(2.3119996,-71.694)"
+   style="fill:#000080">
+	<g
+   id="g9"
+   style="fill:#000080">
+		<polygon
+   fill="#ed1849"
+   points="628.371,348.611 618.043,358.941 607.713,348.611 575.523,348.611 575.523,423.61 662.523,423.61 662.523,348.611 "
+   id="polygon8"
+   style="fill:#000080" />
+	</g>
+</g>
+
+<g
+   id="g14"
+   transform="translate(2.3119996,-71.694)">
+	<g
+   id="g13">
+		<polygon
+   fill="#c1d82f"
+   points="575.428,217.35 575.428,250.526 610.09,250.526 618.171,258.607 626.251,250.526 705.09,250.526 713.171,258.607 721.251,250.526 757.427,250.526 757.427,173.527 575.428,173.527 575.428,199.703 584.252,208.525 "
+   id="polygon12" />
+	</g>
+</g>
+
+
+
+
+
+<g
+   id="g26"
+   transform="translate(0.4155534,-73.944)">
+	<g
+   id="g25">
+		<polygon
+   fill="#4a4a30"
+   points="177.974,133.944 125.111,133.944 118.043,141.013 110.974,133.944 86.834,133.944 86.834,166.944 178.263,166.944 184.834,173.514 191.403,166.944 281.833,166.944 281.833,133.944 258.611,133.944 251.543,141.013 244.474,133.944 192.111,133.944 185.043,141.013 "
+   id="polygon24" />
+	</g>
+</g>
+<g
+   id="g28"
+   transform="matrix(0.93986241,0,0,1,-22.331287,-17.694)">
+	<g
+   id="g27">
+		<polygon
+   fill="#e6e6e6"
+   points="330.188,290.202 330.188,296.444 511.188,296.444 511.188,289.015 517.259,282.942 511.188,276.87 511.188,268.444 330.188,268.444 330.188,277.683 336.447,283.942 "
+   id="polygon26" />
+	</g>
+</g>
+<g
+   id="g30"
+   transform="matrix(0.93986241,0,0,1,-22.331287,-17.694)">
+	<g
+   id="g29">
+		<polygon
+   fill="#e6e6e6"
+   points="330.188,251.536 330.188,257.944 511.188,257.944 511.188,250.515 517.259,244.442 511.188,238.37 511.188,229.944 330.188,229.944 330.188,239.016 336.447,245.276 "
+   id="polygon28" />
+	</g>
+</g>
+<g
+   id="g32"
+   transform="matrix(0.93986241,0,0,1,-22.331287,-17.694)">
+	<g
+   id="g31">
+		<polygon
+   fill="#e6e6e6"
+   points="330.188,211.18 330.188,218.444 511.188,218.444 511.188,211.015 517.259,204.942 511.188,198.87 511.188,190.444 330.188,190.444 330.188,199.372 336.092,205.276 "
+   id="polygon30" />
+	</g>
+</g>
+<g
+   id="g34"
+   transform="translate(-40.188,-71.694)">
+	<g
+   id="g33">
+		<polygon
+   fill="#e6e6e6"
+   points="144.188,342.944 144.188,406.944 225.188,406.944 225.188,381.515 231.259,375.442 225.188,369.37 225.188,342.944 190.445,342.944 184.043,349.348 177.639,342.944 "
+   id="polygon32" />
+	</g>
+</g>
+<g
+   id="g36"
+   transform="translate(-40.188,-71.694)">
+	<g
+   id="g35">
+		<polygon
+   fill="#e6e6e6"
+   points="177.618,330.944 184.188,337.514 190.757,330.944 225.188,330.944 225.188,266.944 190.778,266.944 183.71,274.014 176.64,266.944 144.188,266.944 144.188,330.944 "
+   id="polygon34" />
+	</g>
+</g>
+<g
+   id="g38"
+   transform="translate(-40.188,-71.694)">
+	<g
+   id="g37">
+		<polygon
+   fill="#e6e6e6"
+   points="177.118,254.944 183.688,261.514 190.257,254.944 224.688,254.944 224.688,190.944 191.445,190.944 184.376,198.014 177.306,190.944 143.688,190.944 143.688,254.944 "
+   id="polygon36" />
+	</g>
+</g>
+<g
+   id="g40"
+   transform="matrix(1,0,0,0.86327911,0.062,-77.645148)">
+	<g
+   id="g39">
+		<polygon
+   fill="#4a4a30"
+   points="81.188,221.611 0.188,221.611 0.188,285.61 81.188,285.61 81.188,260.181 87.259,254.109 81.188,248.037 "
+   id="polygon38" />
+	</g>
+</g><g
+   id="g40-0"
+   transform="matrix(1,0,0,0.86327911,0.312,-18.368819)">
+	<g
+   id="g39-6">
+		<polygon
+   fill="#4a4a30"
+   points="87.259,254.109 81.188,248.037 81.188,221.611 0.188,221.611 0.188,285.61 81.188,285.61 81.188,260.181 "
+   id="polygon38-4" />
+	</g>
+</g><g
+   id="g40-0-2"
+   transform="matrix(1,0,0,0.86327911,0.062,40.907511)">
+	<g
+   id="g39-6-5">
+		<polygon
+   fill="#4a4a30"
+   points="87.259,254.109 81.188,248.037 81.188,221.611 0.188,221.611 0.188,285.61 81.188,285.61 81.188,260.181 "
+   id="polygon38-4-8" />
+	</g>
+</g><g
+   id="g40-0-28"
+   transform="matrix(1,0,0,0.86327911,-0.188,100.18384)">
+	<g
+   id="g39-6-4">
+		<polygon
+   fill="#4a4a30"
+   points="81.188,285.61 81.188,260.181 87.259,254.109 81.188,248.037 81.188,221.611 0.188,221.611 0.188,285.61 "
+   id="polygon38-4-7" />
+	</g>
+</g>
+<g
+   id="g42"
+   transform="translate(0.062,-71.944)"
+   style="fill:#ff7f2a">
+	<g
+   id="g41"
+   style="fill:#ff7f2a">
+		<polygon
+   fill="#7e8082"
+   points="178.618,123.944 185.188,130.514 191.757,123.944 215.188,123.944 215.188,71.944 154.188,71.944 154.188,123.944 "
+   id="polygon40"
+   style="fill:#ff7f2a" />
+	</g>
+</g>
+<rect
+   x="126.062"
+   y="75.334"
+   fill="none"
+   width="116.666"
+   height="21.333"
+   id="rect42" />
+<text
+   fill="#ffffff"
+   font-family="MyriadPro-Regular"
+   font-size="12px"
+   id="text42"
+   x="139.47949"
+   y="82.440079"
+   style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:10.6667px;font-family:'Nimbus Sans L';-inkscape-font-specification:'Nimbus Sans L, Normal';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-east-asian:normal">Source Materials</text>
+<rect
+   x="155.41699"
+   y="10.834001"
+   fill="none"
+   width="58.666"
+   height="40.667"
+   id="rect43" />
+<text
+   id="text44"
+   x="190.00726"
+   y="29.10741"
+   style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:10.6667px;font-family:'Nimbus Sans L';-inkscape-font-specification:'Nimbus Sans L, Normal';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-east-asian:normal;text-align:center;text-anchor:middle;white-space:pre;inline-size:49.6985"
+   transform="translate(-5.5244746,-7.8775879)"
+   xml:space="preserve"><tspan
+     x="190.00726"
+     y="29.10741"
+     id="tspan1">Local<tspan
+   y="29.10741"
+   id="tspan2"> </tspan></tspan><tspan
+     x="190.00726"
+     y="42.440787"
+     id="tspan3">Projects</tspan></text>
+<g
+   id="g45"
+   transform="translate(0.062,-71.944)"
+   style="fill:#ff7f2a">
+	<g
+   id="g44"
+   style="fill:#ff7f2a">
+		<polygon
+   fill="#7e8082"
+   points="245.118,123.944 251.688,130.514 258.257,123.944 281.688,123.944 281.688,71.944 220.688,71.944 220.688,123.944 "
+   id="polygon44"
+   style="fill:#ff7f2a" />
+	</g>
+</g>
+<rect
+   x="221.91699"
+   y="7.8340006"
+   fill="none"
+   width="58.666"
+   height="40.667"
+   id="rect45" />
+<text
+   id="text47"
+   x="258.17291"
+   y="26.10741"
+   style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:10.6667px;font-family:'Nimbus Sans L';-inkscape-font-specification:'Nimbus Sans L, Normal';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-east-asian:normal;text-align:center;text-anchor:middle;white-space:pre;inline-size:56.5275;fill:#000000"
+   transform="translate(-6.4360358,-3.6326896)"
+   xml:space="preserve"><tspan
+     x="258.17291"
+     y="26.10741"
+     id="tspan4">SCMs<tspan
+   y="26.10741"
+   id="tspan5"> </tspan></tspan><tspan
+     x="258.17291"
+     y="39.440787"
+     id="tspan6">(optional)</tspan></text>
+<g
+   id="g48"
+   transform="translate(0.062,-71.944)"
+   style="fill:#ff7f2a">
+	<g
+   id="g47"
+   style="fill:#ff7f2a">
+		<polygon
+   fill="#7e8082"
+   points="111.618,123.944 118.188,130.514 124.757,123.944 148.188,123.944 148.188,71.944 87.188,71.944 87.188,123.944 "
+   id="polygon47"
+   style="fill:#ff7f2a" />
+	</g>
+</g>
+<rect
+   x="88.417007"
+   y="10.834001"
+   fill="none"
+   width="58.666"
+   height="40.667"
+   id="rect48" />
+<text
+   id="text49"
+   x="125.51399"
+   y="29.10741"
+   style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:10.6667px;font-family:'Nimbus Sans L';-inkscape-font-specification:'Nimbus Sans L, Normal';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-east-asian:normal;text-align:center;text-anchor:middle;white-space:pre;inline-size:64.823"
+   transform="translate(-8.2169997,-13.75401)"
+   xml:space="preserve"><tspan
+     x="125.51399"
+     y="29.10741"
+     id="tspan7">Upstream<tspan
+   y="29.10741"
+   id="tspan8"> </tspan></tspan><tspan
+     x="125.51399"
+     y="42.440787"
+     id="tspan9">Project<tspan
+   y="42.440787"
+   id="tspan10"> </tspan></tspan><tspan
+     x="125.51399"
+     y="55.774165"
+     id="tspan11">Releases</tspan></text>
+<rect
+   x="115.167"
+   y="137.084"
+   fill="none"
+   width="58.666"
+   height="40.667"
+   id="rect49" />
+<text
+   id="text51"
+   x="128.34723"
+   y="147.37112"
+   style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:10.6667px;font-family:'Nimbus Sans L';-inkscape-font-specification:'Nimbus Sans L, Normal';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-east-asian:normal"><tspan
+     x="128.34723"
+     y="147.37112"
+     font-family="MyriadPro-Regular"
+     font-size="12px"
+     id="tspan50"
+     style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:10.6667px;font-family:'Nimbus Sans L';-inkscape-font-specification:'Nimbus Sans L, Normal';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-east-asian:normal">Source </tspan><tspan
+     x="123.54125"
+     y="161.77113"
+     font-family="MyriadPro-Regular"
+     font-size="12px"
+     id="tspan51"
+     style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:10.6667px;font-family:'Nimbus Sans L';-inkscape-font-specification:'Nimbus Sans L, Normal';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-east-asian:normal">Fetching</tspan></text>
+<rect
+   x="115.167"
+   y="215.08401"
+   fill="none"
+   width="58.666"
+   height="40.666"
+   id="rect51" />
+<text
+   id="text53"
+   x="131.82678"
+   y="224.31099"
+   style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:10.6667px;font-family:'Nimbus Sans L';-inkscape-font-specification:'Nimbus Sans L, Normal';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-east-asian:normal"><tspan
+     x="131.82678"
+     y="224.31099"
+     font-family="MyriadPro-Regular"
+     font-size="12px"
+     id="tspan52"
+     style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:10.6667px;font-family:'Nimbus Sans L';-inkscape-font-specification:'Nimbus Sans L, Normal';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-east-asian:normal">Patch </tspan><tspan
+     x="117.00081"
+     y="238.70999"
+     font-family="MyriadPro-Regular"
+     font-size="12px"
+     id="tspan53"
+     style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:10.6667px;font-family:'Nimbus Sans L';-inkscape-font-specification:'Nimbus Sans L, Normal';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-east-asian:normal">Application</tspan></text>
+<rect
+   x="107.167"
+   y="279.08401"
+   fill="none"
+   width="74.166"
+   height="69.237"
+   id="rect53" />
+<text
+   id="text57"
+   x="149.00055"
+   y="297.35791"
+   style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:10.6667px;font-family:'Nimbus Sans L';-inkscape-font-specification:'Nimbus Sans L, Normal';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-east-asian:normal;text-align:center;text-anchor:middle;white-space:pre;inline-size:74.8743"
+   transform="translate(-3.496696,4.953096)"
+   xml:space="preserve"><tspan
+     x="149.00055"
+     y="297.35791"
+     id="tspan12">Configuration /<tspan
+   y="297.35791"
+   id="tspan13"> </tspan></tspan><tspan
+     x="149.00055"
+     y="310.69127"
+     id="tspan14">Compile</tspan></text>
+<rect
+   x="201.16699"
+   y="184.084"
+   fill="none"
+   width="74.166"
+   height="89.237"
+   id="rect57" />
+<text
+   id="text63"
+   x="221.86859"
+   y="192.60429"
+   style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:10.6667px;font-family:'Nimbus Sans L';-inkscape-font-specification:'Nimbus Sans L, Normal';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-east-asian:normal"><tspan
+     x="221.86859"
+     y="192.60429"
+     font-family="MyriadPro-Regular"
+     font-size="12px"
+     id="tspan58"
+     style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:10.6667px;font-family:'Nimbus Sans L';-inkscape-font-specification:'Nimbus Sans L, Normal';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-east-asian:normal">Output </tspan><tspan
+     x="211.42859"
+     y="207.0043"
+     font-family="MyriadPro-Regular"
+     font-size="12px"
+     id="tspan59"
+     style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:10.6667px;font-family:'Nimbus Sans L';-inkscape-font-specification:'Nimbus Sans L, Normal';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-east-asian:normal">Analysis for </tspan><tspan
+     x="218.94058"
+     y="221.4043"
+     font-family="MyriadPro-Regular"
+     font-size="12px"
+     id="tspan60"
+     style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:10.6667px;font-family:'Nimbus Sans L';-inkscape-font-specification:'Nimbus Sans L, Normal';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-east-asian:normal">package </tspan><tspan
+     x="207.54759"
+     y="235.80429"
+     font-family="MyriadPro-Regular"
+     font-size="12px"
+     id="tspan61"
+     style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:10.6667px;font-family:'Nimbus Sans L';-inkscape-font-specification:'Nimbus Sans L, Normal';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-east-asian:normal">splitting plus </tspan><tspan
+     x="218.94058"
+     y="250.2043"
+     font-family="MyriadPro-Regular"
+     font-size="12px"
+     id="tspan62"
+     style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:10.6667px;font-family:'Nimbus Sans L';-inkscape-font-specification:'Nimbus Sans L, Normal';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-east-asian:normal">package </tspan><tspan
+     x="207.81059"
+     y="264.60431"
+     font-family="MyriadPro-Regular"
+     font-size="12px"
+     id="tspan63"
+     style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:10.6667px;font-family:'Nimbus Sans L';-inkscape-font-specification:'Nimbus Sans L, Normal';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-east-asian:normal">relationships</tspan></text><text
+   id="text63-1"
+   x="555.48315"
+   y="202.90402"
+   style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:10.6667px;font-family:'Nimbus Sans L';-inkscape-font-specification:'Nimbus Sans L, Normal';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-east-asian:normal;text-align:center;text-anchor:middle;white-space:pre;inline-size:31.0495"
+   transform="translate(-42.334211,23.629617)"
+   xml:space="preserve"><tspan
+     x="555.48315"
+     y="202.90402"
+     id="tspan15">QA<tspan
+   y="202.90402"
+   id="tspan16"> </tspan></tspan><tspan
+     x="555.48315"
+     y="216.2374"
+     id="tspan18">Tests</tspan></text>
+<rect
+   x="319.146"
+   y="127.084"
+   fill="none"
+   width="116.666"
+   height="21.333"
+   id="rect63" />
+<text
+   font-family="MyriadPro-Regular"
+   font-size="12px"
+   id="text64"
+   x="335.19238"
+   y="189.60429"
+   style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:10.6667px;font-family:'Nimbus Sans L';-inkscape-font-specification:'Nimbus Sans L, Normal';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-east-asian:normal">.rpm generation</text>
+<rect
+   x="319.146"
+   y="166.584"
+   fill="none"
+   width="116.666"
+   height="21.333"
+   id="rect64" />
+<text
+   font-family="MyriadPro-Regular"
+   font-size="12px"
+   id="text65"
+   x="335.76849"
+   y="229.10429"
+   style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:10.6667px;font-family:'Nimbus Sans L';-inkscape-font-specification:'Nimbus Sans L, Normal';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-east-asian:normal">.deb generation</text>
+<rect
+   x="319.146"
+   y="205.08401"
+   fill="none"
+   width="116.666"
+   height="21.333"
+   id="rect65" />
+<text
+   font-family="MyriadPro-Regular"
+   font-size="12px"
+   id="text66"
+   x="337.9404"
+   y="267.60391"
+   style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:10.6667px;font-family:'Nimbus Sans L';-inkscape-font-specification:'Nimbus Sans L, Normal';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-east-asian:normal">.ipk generation</text>
+<rect
+   x="296.16699"
+   y="307.08401"
+   fill="none"
+   width="77.166"
+   height="30.237"
+   id="rect66" />
+
+<rect
+   x="299.66699"
+   y="261.08401"
+   fill="none"
+   width="71.853996"
+   height="33.664001"
+   id="rect67" />
+
+<rect
+   x="395.97998"
+   y="261.08401"
+   fill="none"
+   width="71.853996"
+   height="33.664001"
+   id="rect69" />
+
+<rect
+   x="390.66699"
+   y="307.08401"
+   fill="none"
+   width="77.166"
+   height="30.237"
+   id="rect71" />
+
+<rect
+   y="133"
+   fill="none"
+   width="81.666"
+   height="39.334"
+   id="rect73"
+   x="0.061999973" />
+<text
+   id="text75"
+   x="64.610138"
+   y="186.94585"
+   style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:10.6667px;font-family:'Nimbus Sans L';-inkscape-font-specification:'Nimbus Sans L, Normal';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-east-asian:normal;text-align:center;text-anchor:middle;white-space:pre;inline-size:66.7773"
+   transform="translate(-23.458902,-49.50401)"
+   xml:space="preserve"><tspan
+     x="64.610138"
+     y="186.94585"
+     id="tspan20"><tspan
+   style="fill:#ffffff"
+   id="tspan19">User</tspan>
+</tspan><tspan
+     x="64.610138"
+     y="200.27922"
+     id="tspan22"><tspan
+       style="fill:#ffffff"
+       id="tspan21">Configuration</tspan></tspan></text><text
+   id="text75-4"
+   x="64.610138"
+   y="186.94585"
+   style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:10.6667px;font-family:'Nimbus Sans L';-inkscape-font-specification:'Nimbus Sans L, Normal';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-east-asian:normal;text-align:center;text-anchor:middle;white-space:pre;inline-size:66.7773"
+   transform="translate(-24.603766,70.32617)"
+   xml:space="preserve"><tspan
+     x="64.610138"
+     y="186.94585"
+     id="tspan24"><tspan
+   style="fill:#ffffff"
+   id="tspan23">Machine BSP</tspan>
+</tspan><tspan
+     x="64.610138"
+     y="200.27922"
+     id="tspan26"><tspan
+       style="fill:#ffffff"
+       id="tspan25">Configuration</tspan></tspan></text><text
+   id="text75-4-6"
+   x="64.610138"
+   y="186.94585"
+   style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:10.6667px;font-family:'Nimbus Sans L';-inkscape-font-specification:'Nimbus Sans L, Normal';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-east-asian:normal;text-align:center;text-anchor:middle;white-space:pre;inline-size:66.7773"
+   transform="translate(-25.353766,128.82617)"
+   xml:space="preserve"><tspan
+     x="64.610138"
+     y="186.94585"
+     id="tspan28"><tspan
+   style="fill:#ffffff"
+   id="tspan27">Policy</tspan>
+</tspan><tspan
+     x="64.610138"
+     y="200.27922"
+     id="tspan30"><tspan
+       style="fill:#ffffff"
+       id="tspan29">Configuration</tspan></tspan></text>
+
+<rect
+   y="211.16798"
+   fill="none"
+   width="81.666"
+   height="39.333"
+   id="rect76"
+   x="0.061999973" />
+<text
+   id="text78"
+   x="70.02713"
+   y="265.4418"
+   style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:10.6667px;font-family:'Nimbus Sans L';-inkscape-font-specification:'Nimbus Sans L, Normal';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-east-asian:normal;text-align:center;text-anchor:middle;white-space:pre;inline-size:89.4625"
+   transform="translate(-28.848315,-69.549143)"
+   xml:space="preserve"><tspan
+     x="70.02713"
+     y="265.4418"
+     id="tspan32"><tspan
+       style="fill:#ffffff"
+       id="tspan31">Metadata
+</tspan></tspan><tspan
+     x="70.02713"
+     y="278.77516"
+     id="tspan34"><tspan
+       style="fill:#ffffff"
+       id="tspan33">(.bb + patches)</tspan></tspan></text>
+<rect
+   x="612.83502"
+   y="131.418"
+   fill="none"
+   width="112.186"
+   height="20.163"
+   id="rect78" />
+<text
+   font-family="MyriadPro-Regular"
+   font-size="12px"
+   id="text79"
+   x="629.87451"
+   y="142.68779"
+   style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:10.6667px;font-family:'Nimbus Sans L';-inkscape-font-specification:'Nimbus Sans L, Normal';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-east-asian:normal">Package Feeds</text>
+<rect
+   x="579.98102"
+   y="306.25101"
+   fill="none"
+   width="81.666"
+   height="39.332001"
+   id="rect79" />
+<text
+   fill="#ffffff"
+   font-family="MyriadPro-Regular"
+   font-size="12px"
+   id="text80"
+   x="604.24854"
+   y="319.7699"
+   style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:10.6667px;font-family:'Nimbus Sans L';-inkscape-font-specification:'Nimbus Sans L, Normal';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-east-asian:normal">Images</text>
+<rect
+   x="584.14703"
+   y="216.08499"
+   fill="none"
+   width="71.853996"
+   height="33.664001"
+   id="rect80" />
+<text
+   id="text81"
+   x="606.88434"
+   y="227.1058"
+   style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:10.6667px;font-family:'Nimbus Sans L';-inkscape-font-specification:'Nimbus Sans L, Normal';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-east-asian:normal"><tspan
+     x="606.88434"
+     y="227.1058"
+     font-family="MyriadPro-Regular"
+     font-size="12px"
+     id="tspan80"
+     style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:10.6667px;font-family:'Nimbus Sans L';-inkscape-font-specification:'Nimbus Sans L, Normal';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-east-asian:normal">Image </tspan><tspan
+     x="594.48834"
+     y="241.50479"
+     font-family="MyriadPro-Regular"
+     font-size="12px"
+     id="tspan81"
+     style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:10.6667px;font-family:'Nimbus Sans L';-inkscape-font-specification:'Nimbus Sans L, Normal';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-east-asian:normal">Generation</tspan></text>
+<rect
+   x="678.83301"
+   y="215.08499"
+   fill="none"
+   width="77.166"
+   height="30.237"
+   id="rect81" />
+<text
+   id="text83"
+   x="708.21045"
+   y="228.6058"
+   style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:10.6667px;font-family:'Nimbus Sans L';-inkscape-font-specification:'Nimbus Sans L, Normal';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-east-asian:normal"><tspan
+     x="708.21045"
+     y="228.6058"
+     font-family="MyriadPro-Regular"
+     font-size="12px"
+     id="tspan82"
+     style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:10.6667px;font-family:'Nimbus Sans L';-inkscape-font-specification:'Nimbus Sans L, Normal';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-east-asian:normal">SDK </tspan><tspan
+     x="690.33142"
+     y="243.00479"
+     font-family="MyriadPro-Regular"
+     font-size="12px"
+     id="tspan83"
+     style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:10.6667px;font-family:'Nimbus Sans L';-inkscape-font-specification:'Nimbus Sans L, Normal';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-east-asian:normal">Generation</tspan></text>
+<rect
+   x="379.06299"
+   y="86.834"
+   fill="none"
+   width="199.03999"
+   height="21.164"
+   id="rect83" />
+<text
+   fill="#333333"
+   font-family="MyriadPro-Regular"
+   font-size="12px"
+   id="text84"
+   x="426.28253"
+   y="26.005543"
+   style="font-style:normal;font-variant:normal;font-weight:bold;font-stretch:normal;font-size:12px;font-family:'Nimbus Sans L';-inkscape-font-specification:'Nimbus Sans L, Bold';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-east-asian:normal;fill:#333333">OpenEmbedded Architecture Workflow</text><g
+   id="g18"
+   transform="translate(-10.254525,-9.75401)"><rect
+     style="fill:#00b6de;fill-opacity:1;stroke:#ff631a;stroke-width:0;stroke-linejoin:bevel;stroke-miterlimit:0;stroke-dasharray:none"
+     id="rect11-5"
+     width="10"
+     height="9.9646282"
+     x="442.00568"
+     y="76.711205"
+     transform="matrix(1,0,0,1.0035497,0,-1.2832284)" /><text
+     fill="#333333"
+     font-family="MyriadPro-Regular"
+     font-size="12px"
+     id="text84-6"
+     x="456.48013"
+     y="84.126945"
+     style="font-style:normal;font-variant:normal;font-weight:bold;font-stretch:normal;font-size:12px;font-family:'Nimbus Sans L';-inkscape-font-specification:'Nimbus Sans L, Bold';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-east-asian:normal;fill:#333333"><tspan
+       style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:9.33333px;font-family:Sans;-inkscape-font-specification:'Sans, Normal';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-east-asian:normal"
+       id="tspan17">Build System</tspan></text></g><g
+   id="g18-4"
+   transform="translate(-10.254525,-25.970712)"><rect
+     style="fill:#4a4a30;fill-opacity:1;stroke:#ff631a;stroke-width:0;stroke-linejoin:bevel;stroke-miterlimit:0;stroke-dasharray:none"
+     id="rect11-5-8"
+     width="10"
+     height="9.9646282"
+     x="442.00568"
+     y="76.711205"
+     transform="matrix(1,0,0,1.0035497,0,-1.2832284)" /><text
+     fill="#333333"
+     font-family="MyriadPro-Regular"
+     font-size="12px"
+     id="text84-6-0"
+     x="456.48013"
+     y="84.126945"
+     style="font-style:normal;font-variant:normal;font-weight:bold;font-stretch:normal;font-size:12px;font-family:'Nimbus Sans L';-inkscape-font-specification:'Nimbus Sans L, Bold';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-east-asian:normal;fill:#333333"><tspan
+       style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:9.33333px;font-family:Sans;-inkscape-font-specification:'Sans, Normal';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-east-asian:normal"
+       id="tspan17-4">Metadata/Inputs</tspan></text></g><g
+   id="g18-4-9"
+   transform="translate(-10.254525,-42.187414)"><rect
+     style="fill:#ff7f2a;fill-opacity:1;stroke:#ff631a;stroke-width:0.49911493;stroke-linejoin:bevel;stroke-miterlimit:0;stroke-dasharray:none"
+     id="rect11-5-8-6"
+     width="10"
+     height="9.9646282"
+     x="442.00568"
+     y="76.711205"
+     transform="matrix(1,0,0,1.0035497,0,-1.2832284)" /><text
+     fill="#333333"
+     font-family="MyriadPro-Regular"
+     font-size="12px"
+     id="text84-6-0-1"
+     x="456.48013"
+     y="84.126945"
+     style="font-style:normal;font-variant:normal;font-weight:bold;font-stretch:normal;font-size:12px;font-family:'Nimbus Sans L';-inkscape-font-specification:'Nimbus Sans L, Bold';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-east-asian:normal;fill:#333333"><tspan
+       style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:9.33333px;font-family:Sans;-inkscape-font-specification:'Sans, Normal';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-east-asian:normal"
+       id="tspan17-4-0">Upstream Source</tspan></text></g><g
+   id="g18-4-9-2"
+   transform="translate(101.50803,-40.934366)"><rect
+     style="fill:#c1d82f;fill-opacity:1;stroke:#ff631a;stroke-width:0;stroke-linejoin:bevel;stroke-miterlimit:0;stroke-dasharray:none"
+     id="rect11-5-8-6-2"
+     width="10"
+     height="9.9646282"
+     x="442.00568"
+     y="76.711205"
+     transform="matrix(1,0,0,1.0035497,0,-1.2832284)" /><text
+     fill="#333333"
+     font-family="MyriadPro-Regular"
+     font-size="12px"
+     id="text84-6-0-1-2"
+     x="456.48013"
+     y="84.126945"
+     style="font-style:normal;font-variant:normal;font-weight:bold;font-stretch:normal;font-size:12px;font-family:'Nimbus Sans L';-inkscape-font-specification:'Nimbus Sans L, Bold';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-east-asian:normal;fill:#333333"><tspan
+       style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:9.33333px;font-family:Sans;-inkscape-font-specification:'Sans, Normal';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-east-asian:normal"
+       id="tspan17-4-0-0">Output Packages</tspan></text></g><g
+   id="g18-4-9-2-5"
+   transform="translate(101.50803,-24.709046)"><rect
+     style="fill:#e6e6e6;fill-opacity:1;stroke:#ff631a;stroke-width:0;stroke-linejoin:bevel;stroke-miterlimit:0;stroke-dasharray:none"
+     id="rect11-5-8-6-2-2"
+     width="10"
+     height="9.9646282"
+     x="442.00568"
+     y="76.711205"
+     transform="matrix(1,0,0,1.0035497,0,-1.2832284)" /><text
+     fill="#333333"
+     font-family="MyriadPro-Regular"
+     font-size="12px"
+     id="text84-6-0-1-2-9"
+     x="456.48013"
+     y="84.126945"
+     style="font-style:normal;font-variant:normal;font-weight:bold;font-stretch:normal;font-size:12px;font-family:'Nimbus Sans L';-inkscape-font-specification:'Nimbus Sans L, Bold';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-east-asian:normal;fill:#333333"><tspan
+       style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:9.33333px;font-family:Sans;-inkscape-font-specification:'Sans, Normal';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-east-asian:normal"
+       id="tspan17-4-0-0-0">Process steps (tasks)</tspan></text></g><g
+   id="g18-4-9-2-5-8"
+   transform="translate(101.50803,-8.4837252)"><rect
+     style="fill:#000080;fill-opacity:1;stroke:#ff631a;stroke-width:0;stroke-linejoin:bevel;stroke-miterlimit:0;stroke-dasharray:none"
+     id="rect11-5-8-6-2-2-3"
+     width="10"
+     height="9.9646282"
+     x="442.00568"
+     y="76.711205"
+     transform="matrix(1,0,0,1.0035497,0,-1.2832284)" /><text
+     fill="#333333"
+     font-family="MyriadPro-Regular"
+     font-size="12px"
+     id="text84-6-0-1-2-9-8"
+     x="456.48013"
+     y="84.126945"
+     style="font-style:normal;font-variant:normal;font-weight:bold;font-stretch:normal;font-size:12px;font-family:'Nimbus Sans L';-inkscape-font-specification:'Nimbus Sans L, Bold';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-east-asian:normal;fill:#333333"><tspan
+       style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:9.33333px;font-family:Sans;-inkscape-font-specification:'Sans, Normal';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-east-asian:normal"
+       id="tspan17-4-0-0-0-0">Output Imaga Data</tspan></text></g>
+
+
+<rect
+   x="675.64801"
+   y="304.91699"
+   fill="none"
+   width="81.666"
+   height="39.332001"
+   id="rect85" />
+<text
+   id="text86"
+   x="720.58508"
+   y="322.93991"
+   style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:10.6667px;font-family:'Nimbus Sans L';-inkscape-font-specification:'Nimbus Sans L, Normal';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-east-asian:normal;text-align:center;text-anchor:middle;white-space:pre;inline-size:65.518"
+   transform="translate(-2.5824824,-12.25401)"
+   xml:space="preserve"><tspan
+     x="720.58508"
+     y="322.93991"
+     id="tspan36"><tspan
+   style="fill:#ffffff"
+   id="tspan35">Application</tspan><tspan
+   y="322.93991"
+   id="tspan37"> </tspan></tspan><tspan
+     x="720.58508"
+     y="336.27327"
+     id="tspan39"><tspan
+   style="fill:#ffffff"
+   id="tspan38">Development</tspan><tspan
+   y="336.27327"
+   id="tspan40"> </tspan></tspan><tspan
+     x="720.58508"
+     y="349.60665"
+     id="tspan42"><tspan
+       style="fill:#ffffff"
+       id="tspan41">SDK</tspan></tspan></text>
+</svg>

documentation/overview-manual/yp-intro.rst

@@ -23,12 +23,12 @@ comes to delivering embedded software stacks. The project allows
 software customizations and build interchange for multiple hardware
 platforms as well as software stacks that can be maintained and scaled.
 
-.. image:: figures/key-dev-elements.png
-    :align: center
+.. image:: svg/key-dev-elements.*
+    :width: 100%
 
 For further introductory information on the Yocto Project, you might be
 interested in this
-`article <https://www.embedded.com/electronics-blogs/say-what-/4458600/Why-the-Yocto-Project-for-my-IoT-Project->`__
+`article <https://www.embedded.com/why-the-yocto-project-for-my-iot-project/>`__
 by Drew Moseley and in this short introductory
 `video <https://www.youtube.com/watch?v=utZpKM7i5Z4>`__.
 
@@ -44,7 +44,7 @@ Here are features and advantages of the Yocto Project:
    system, software, and service vendors adopt and support the Yocto
    Project in their products and services. For a look at the Yocto
    Project community and the companies involved with the Yocto Project,
-   see the "COMMUNITY" and "ECOSYSTEM" tabs on the
+   see the "COMMUNITY" and "ABOUT" tabs on the
    :yocto_home:`Yocto Project <>` home page.
 
 -  *Architecture Agnostic:* Yocto Project supports Intel, ARM, MIPS,
@@ -60,10 +60,9 @@ Here are features and advantages of the Yocto Project:
    move between architectures without moving to new development
    environments. Additionally, if you have used the Yocto Project to
    create an image or application and you find yourself not able to
-   support it, commercial Linux vendors such as Wind River, Mentor
-   Graphics, Timesys, and ENEA could take it and provide ongoing
-   support. These vendors have offerings that are built using the Yocto
-   Project.
+   support it, commercial Linux vendors listed on :yocto_home:`/members/` and
+   :yocto_home:`/about/participants/` could take it and provide ongoing
+   support.
 
 -  *Flexibility:* Corporations use the Yocto Project many different
    ways. One example is to create an internal Linux distribution as a
@@ -734,7 +733,7 @@ The :term:`OpenEmbedded Build System` uses a "workflow" to
 accomplish image and SDK generation. The following figure overviews that
 workflow:
 
-.. image:: figures/YP-flow-diagram.png
+.. image:: svg/yp-flow-diagram.*
     :align: center
 
 Here is a brief summary of the "workflow":
@@ -760,7 +759,8 @@ Here is a brief summary of the "workflow":
    package feed that is used to create the final root file image.
 
 7. The build system generates the file system image and a customized
-   Extensible SDK (eSDK) for application development in parallel.
+   :doc:`SDK </sdk-manual/index>` (Software Development Kit) for application
+   development in parallel.
 
 For a very detailed look at this workflow, see the
 ":ref:`overview-manual/concepts:openembedded build system concepts`" section.

documentation/ref-manual/classes.rst

@@ -309,8 +309,12 @@ file for details about how to enable this mechanism in your configuration
 file, how to disable it for specific recipes, and how to share ``ccache``
 files between builds.
 
-However, using the class can lead to unexpected side-effects. Thus, using
-this class is not recommended.
+Recipes can also explicitly disable `Ccache` support even when the
+:ref:`ref-classes-ccache` class is enabled, by setting the
+:term:`CCACHE_DISABLE` variable to "1".
+
+Using the :ref:`ref-classes-ccache` class can lead to unexpected side-effects.
+Using this class is not recommended.
 
 .. _ref-classes-chrpath:
 
@@ -825,6 +829,14 @@ software that uses the GNU ``gettext`` internationalization and localization
 system. All recipes building software that use ``gettext`` should inherit this
 class.
 
+This class will configure recipes to build translations *unless*:
+
+-  the :term:`USE_NLS` variable is set to ``no``, or
+
+-  the :term:`INHIBIT_DEFAULT_DEPS` variable is set and the recipe inheriting
+   the :ref:`ref-classes-gettext` class does not also inherit the
+   :ref:`ref-classes-cross-canadian` class.
+
 .. _ref-classes-gnomebase:
 
 ``gnomebase``
@@ -1106,6 +1118,53 @@ The :ref:`ref-classes-image_types` class also handles conversion and compression
    :term:`IMAGE_FSTYPES`. This would also be similar for Virtual Box Virtual Disk
    Image ("vdi") and QEMU Copy On Write Version 2 ("qcow2") images.
 
+.. _ref-classes-image-container:
+
+``image-container``
+===================
+
+The :ref:`ref-classes-image-container` class is automatically inherited in
+:doc:`image </ref-manual/images>` recipes that have the ``container`` image type
+in :term:`IMAGE_FSTYPES`. It provides relevant settings to generate an image
+ready for use with an :wikipedia:`OCI <Open_Container_Initiative>`-compliant
+container management tool, such as :wikipedia:`Podman <Podman>` or
+:wikipedia:`Docker <Docker_(software)>`.
+
+.. note::
+
+   This class neither builds nor installs container management tools on the
+   target. Those tools are available in the :yocto_git:`meta-virtualization
+   </meta-virtualization>` layer.
+
+You should set the :term:`PREFERRED_PROVIDER` for the Linux kernel to
+``linux-dummy`` in a :term:`configuration file`::
+
+   PREFERRED_PROVIDER_virtual/kernel = "linux-dummy"
+
+Otherwise an error is triggered. If desired, the
+:term:`IMAGE_CONTAINER_NO_DUMMY` variable can be set to "1" to avoid triggering
+this error.
+
+The ``linux-dummy`` recipe acts as a Linux kernel recipe but builds nothing. It
+is relevant to use as the preferred Linux kernel provider in this case as a
+container image does not need to include a Linux kernel. Selecting it as the
+preferred provider for the kernel will also decrease build time.
+
+Using this class only deploys an additional ``tar.bz2`` archive to
+:term:`DEPLOY_DIR_IMAGE`. This archive can be used in a container file (a file
+typically named ``Dockerfile`` or ``Containerfile``). For example, to be used with
+:wikipedia:`Podman <Podman>` or :wikipedia:`Docker <Docker_(software)>`, the
+`container file <https://docs.docker.com/reference/dockerfile/>`__ could contain
+the following instructions:
+
+.. code-block:: dockerfile
+
+   FROM scratch
+   ADD ./image-container-qemux86-64.rootfs.tar.bz2 /
+   ENTRYPOINT /bin/sh
+
+This is suitable to build a container using our generated root filesystem image.
+
 .. _ref-classes-image-live:
 
 ``image-live``
@@ -1855,7 +1914,8 @@ a couple different ways:
       Not using this naming convention can lead to subtle problems
       caused by existing code that depends on that naming convention.
 
--  Create or modify a target recipe that contains the following::
+-  Or, create a :ref:`ref-classes-native` variant of any target recipe (e.g.
+   ``myrecipe.bb``) by adding the following to the recipe::
 
       BBCLASSEXTEND = "native"
 
@@ -1886,7 +1946,18 @@ couple different ways:
    inherit statement in the recipe after all other inherit statements so
    that the :ref:`ref-classes-nativesdk` class is inherited last.
 
--  Create a :ref:`ref-classes-nativesdk` variant of any recipe by adding the following::
+   .. note::
+
+      When creating a recipe, you must follow this naming convention::
+
+              nativesdk-myrecipe.bb
+
+
+      Not doing so can lead to subtle problems because there is code that
+      depends on the naming convention.
+
+-  Or, create a :ref:`ref-classes-nativesdk` variant of any target recipe (e.g.
+   ``myrecipe.bb``) by adding the following to the recipe::
 
        BBCLASSEXTEND = "nativesdk"
 
@@ -1895,16 +1966,6 @@ couple different ways:
    specify any functionality specific to the respective SDK machine or
    target case.
 
-.. note::
-
-   When creating a recipe, you must follow this naming convention::
-
-           nativesdk-myrecipe.bb
-
-
-   Not doing so can lead to subtle problems because there is code that
-   depends on the naming convention.
-
 Although applied differently, the :ref:`ref-classes-nativesdk` class is used with both
 methods. The advantage of the second method is that you do not need to
 have two separate recipes (assuming you need both) for the SDK machine
@@ -2542,6 +2603,25 @@ The :ref:`ref-classes-recipe_sanity` class checks for the presence of any host s
 recipe prerequisites that might affect the build (e.g. variables that
 are set or software that is present).
 
+.. _ref-classes-relative_symlinks:
+
+``relative_symlinks``
+=====================
+
+The :ref:`ref-classes-relative_symlinks` class walks the symbolic links in the
+:term:`D` directory and replaces links pointing to absolute paths to relative
+paths. This is occasionally used in some recipes that create wrong symbolic
+links when their :ref:`ref-classes-native` version is built, and/or would cause
+breakage in the :ref:`overview-manual/concepts:shared state cache`.
+
+For example, if the following symbolic link is found in :term:`D`::
+
+   /usr/bin/foo -> /sbin/bar
+
+It is replaced by::
+
+   /usr/bin/foo -> ../../sbin/bar
+
 .. _ref-classes-relocatable:
 
 ``relocatable``
@@ -3036,6 +3116,22 @@ class assuming :term:`PATCHRESOLVE` is set to "user", the
 :ref:`ref-classes-cml1` class, and the :ref:`ref-classes-devshell` class all
 use the :ref:`ref-classes-terminal` class.
 
+.. _ref-classes-testexport:
+
+``testexport``
+==============
+
+Based on the :ref:`ref-classes-testimage` class, the
+:ref:`ref-classes-testexport` class can be used to export the test environment
+outside of the :term:`OpenEmbedded Build System`. This will generate the
+directory structure to execute the runtime tests using the
+:oe_git:`runexported.py </openembedded-core/tree/meta/lib/oeqa/runexported.py>`
+Python script.
+
+For more details on how to use :ref:`ref-classes-testexport`, see
+the :ref:`test-manual/runtime-testing:Exporting Tests` section in the Yocto
+Project Test Environment Manual.
+
 .. _ref-classes-testimage:
 
 ``testimage``
@@ -3161,6 +3257,9 @@ It is intended to be inherited from U-Boot recipes.
 
 The variables used by this class are:
 
+-  :term:`SPL_DTB_BINARY`: Name of the SPL device tree binary. Can be set to an
+   empty string to indicate that no SPL should be created and added to the FIT
+   image.
 -  :term:`SPL_MKIMAGE_DTCOPTS`: DTC options for U-Boot ``mkimage`` when
    building the FIT image.
 -  :term:`SPL_SIGN_ENABLE`: enable signing the FIT image.
@@ -3193,22 +3292,51 @@ imitates.
 ``uninative``
 =============
 
-Attempts to isolate the build system from the host distribution's C
-library in order to make re-use of native shared state artifacts across
-different host distributions practical. With this class enabled, a
-tarball containing a pre-built C library is downloaded at the start of
-the build. In the Poky reference distribution this is enabled by default
-through ``meta/conf/distro/include/yocto-uninative.inc``. Other
-distributions that do not derive from poky can also
-"``require conf/distro/include/yocto-uninative.inc``" to use this.
-Alternatively if you prefer, you can build the uninative-tarball recipe
-yourself, publish the resulting tarball (e.g. via HTTP) and set
-``UNINATIVE_URL`` and ``UNINATIVE_CHECKSUM`` appropriately. For an
-example, see the ``meta/conf/distro/include/yocto-uninative.inc``.
+The :ref:`ref-classes-uninative` class allows binaries to run on systems with
+older or newer :wikipedia:`Glibc <Glibc>` versions. This means
+:ref:`ref-classes-native` recipe :ref:`overview-manual/concepts:shared state
+cache` can be shared among different host distributions of different versions,
+i.e. the :ref:`overview-manual/concepts:shared state cache` is "universal".
 
-The :ref:`ref-classes-uninative` class is also used unconditionally by the extensible
-SDK. When building the extensible SDK, ``uninative-tarball`` is built
-and the resulting tarball is included within the SDK.
+To allow this to work, the dynamic loader is changed to our own :manpage:`ld.so
+<ld.so.8>` when binaries are compiled using the
+``--dynamic-linker`` option. This means when the binary is executed, it finds
+our own :manpage:`ld.so <ld.so.8>` and that loader has a modified search path
+which finds a newer Glibc version.
+
+The linking of the binaries is not changed at link time since the
+headers on the system wouldn't match the newer Glibc and this causes
+obtuse failures. Changing the loader is effectively the same as if the
+system had a Glibc upgrade after the binary was compiled, so it is a
+mechanism supported by upstream.
+
+One caveat to this approach is that the uninative Glibc binary must be
+equal to or newer in version to the versions on all the systems using
+the common :ref:`overview-manual/concepts:shared state cache`. This is why
+:ref:`ref-classes-uninative`  is regularly changed on the development and stable
+branches.
+
+Another potential issue is static linking: static libraries created on
+a system with a new Glibc version may have symbols not present in older
+versions, which would then fail during linking on older systems. This
+is one reason we don't use static linking for our :ref:`ref-classes-native`
+binaries.
+
+With this class enabled, a tarball containing a pre-built C library is
+downloaded at the start of the build. In the Poky reference distribution this is
+enabled by default through :oe_git:`meta/conf/distro/include/yocto-uninative.inc
+</openembedded-core/tree/meta/conf/distro/include/yocto-uninative.inc>`. Other distributions that do
+not derive from Poky can also "``require conf/distro/include/yocto-uninative.inc``"
+to use this. Alternatively if you prefer, you can build the uninative-tarball
+recipe yourself, publish the resulting tarball (e.g. via HTTP) and set
+:term:`UNINATIVE_URL` and :term:`UNINATIVE_CHECKSUM` appropriately. For an
+example, see :oe_git:`meta/conf/distro/include/yocto-uninative.inc
+</openembedded-core/tree/meta/conf/distro/include/yocto-uninative.inc>`.
+
+The :ref:`ref-classes-uninative` class is also used unconditionally by the
+:doc:`extensible SDK </sdk-manual/extensible>`. When building the extensible
+SDK, ``uninative-tarball`` is built and the resulting tarball is included within
+the SDK.
 
 .. _ref-classes-update-alternatives:
 

documentation/ref-manual/devtool-reference.rst

@@ -432,7 +432,7 @@ You can read more on the ``devtool upgrade`` workflow in the
 ":ref:`sdk-manual/extensible:use \`\`devtool upgrade\`\` to create a version of the recipe that supports a newer version of the software`"
 section in the Yocto Project Application Development and the Extensible
 Software Development Kit (eSDK) manual. You can also see an example of
-how to use ``devtool upgrade`` in the ":ref:`dev-manual/upgrading-recipes:using \`\`devtool upgrade\`\``"
+how to use ``devtool upgrade`` in the ":ref:`dev-manual/upgrading-recipes:using ``devtool upgrade```"
 section in the Yocto Project Development Tasks Manual.
 
 .. _devtool-resetting-a-recipe:

documentation/ref-manual/release-process.rst

@@ -45,6 +45,45 @@ release process validates the content of the new branch.
    Realize that there can be patches merged onto the stable release
    branches as and when they become available.
 
+.. _ref-yp-development-cycle:
+
+Development Cycle
+=================
+
+As explained in the previous :ref:`ref-manual/release-process:Major and Minor
+Release Cadence` section, a new release comes out every six months.
+
+During this six-months period of time, the Yocto Project releases four
+"Milestone" releases which represent distinct points of time. The milestone
+releases are tested through the :ref:`ref-manual/release-process:Testing and
+Quality Assurance` process and helps spotting issues before the actual release
+is out.
+
+The time span between milestone releases can vary, but they are in general
+evenly spaced out during this six-months period of time.
+
+These milestone releases are tagged with a capital "M" after the future release
+tag name. For example, the milestone tags "&DISTRO_RELEASE_SERIES;M1",
+"&DISTRO_RELEASE_SERIES;M2", and "&DISTRO_RELEASE_SERIES;M3" are released before
+the actual "&DISTRO_RELEASE_SERIES;" release.
+
+.. note::
+
+   The fourth milestone (M4) is not actually released and announced, but
+   represents a point of time for the Quality Assurance team to start the
+   :ref:`ref-manual/release-process:Testing and Quality Assurance` process
+   before tagging and delivering the final release.
+
+After the third milestone release (M3), the Yocto Project enters **Feature
+Freeze**. This means that the maintainers of :term:`OpenEmbedded-Core
+(OE-Core)`, :term:`BitBake` and other core repositories stop accepting
+significant changes on the "master" branch. Changes that may be accepted are
+minor upgrades to core components and security/bug fixes.
+
+During feature freeze, a new branch is created and maintained separately to
+test new features and enhancements received from contributors, but these changes
+will only make it to the master branch after the release is out.
+
 Major Release Codenames
 =======================
 
@@ -62,7 +101,8 @@ codename are likely to be compatible and thus work together.
 
 Releases are given a nominal release version as well but the codename is
 used in repositories for this reason. You can find information on Yocto
-Project releases and codenames at :yocto_wiki:`/Releases`.
+Project releases and codenames in the :yocto_home:`Releases page
+</development/releases/>`.
 
 Our :doc:`/migration-guides/index` detail how to migrate from one release of
 the Yocto Project to the next.

documentation/ref-manual/structure.rst

@@ -328,6 +328,15 @@ Once the build process gets the sample file, it uses ``sed`` to substitute final
 This file indicates the state of the sanity checks and is created during
 the build.
 
+.. _structure-build-conf-auto.conf:
+
+``build/conf/auto.conf``
+------------------------
+
+This file contains configuration variables that are automatically modified by
+tools such as :oe_git:`bitbake-config-build </bitbake/tree/bin/bitbake-config-build>`.
+This file should not be modified manually.
+
 .. _structure-build-downloads:
 
 ``build/downloads/``
@@ -498,7 +507,7 @@ generated during the :ref:`ref-tasks-packagedata` task. The files stored in this
 directory contain information about each output package produced by the
 OpenEmbedded build system, and are used in different ways by the build system
 such as ":ref:`dev-manual/debugging:viewing package information with
-\`\`oe-pkgdata-util\`\``".
+``oe-pkgdata-util```".
 
 .. _structure-build-tmp-sstate-control:
 

documentation/ref-manual/svg/releases.svg

@@ -2,11 +2,11 @@
 <svg
    version="1.1"
    id="svg2"
-   width="1523.001"
-   height="504.30499"
-   viewBox="0 0 1523.001 504.30497"
+   width="1992.7236"
+   height="613.35602"
+   viewBox="0 0 1992.7236 613.35599"
    sodipodi:docname="releases.svg"
-   inkscape:version="1.3.2 (091e20ef0f, 2023-11-25, custom)"
+   inkscape:version="1.4.1 (93de688d07, 2025-03-30)"
    inkscape:export-filename="../../../../../../../../tmp/releases.png"
    inkscape:export-xdpi="96"
    inkscape:export-ydpi="96"
@@ -70,7 +70,7 @@
        scale_width="1"
        end_linecap_type="zerowidth"
        not_jump="false"
-       message="&lt;b&gt;Ctrl + click&lt;/b&gt; on existing node and move it" />
+       message="" />
     <marker
        style="overflow:visible"
        id="marker5783"
@@ -412,9 +412,9 @@
      inkscape:window-height="2069"
      id="namedview4"
      showgrid="true"
-     inkscape:zoom="2.1971372"
-     inkscape:cx="1068.2082"
-     inkscape:cy="287.87461"
+     inkscape:zoom="1.5536106"
+     inkscape:cx="1158.2696"
+     inkscape:cy="273.55632"
      inkscape:window-x="2256"
      inkscape:window-y="60"
      inkscape:window-maximized="1"
@@ -433,8 +433,8 @@
     <inkscape:grid
        type="xygrid"
        id="grid1257"
-       originx="-289.99936"
-       originy="369.99997"
+       originx="-289.06071"
+       originy="478.43017"
        spacingy="1"
        spacingx="1"
        units="px"
@@ -444,66 +444,90 @@
      inkscape:groupmode="layer"
      inkscape:label="Image"
      id="g10"
-     transform="translate(-289.99936,370.00003)">
+     transform="translate(-289.06072,478.43022)">
+    <rect
+       style="fill:#333333;fill-opacity:0;stroke:#000000;stroke-width:0.713896;stroke-linejoin:bevel;stroke-miterlimit:0;stroke-opacity:0"
+       id="rect1"
+       width="1992.0098"
+       height="612.64215"
+       x="289.41766"
+       y="-478.07327"
+       ry="24.97636" />
     <path
-       style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:0.449183;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
-       d="m 563.40434,64.000628 v -415.635938 0 0"
+       style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:0.50455;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
+       d="m 563.40434,64.000628 v -524.414808 0 0"
        id="path207708" />
     <path
-       style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:0.449183;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
-       d="m 683.40434,64.000628 v -415.635938 0 0"
+       style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:0.50455;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
+       d="m 683.40434,64.000628 v -524.414808 0 0"
        id="path207708-4" />
     <path
-       style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:0.449183;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
-       d="m 803.40434,64.000628 v -415.635938 0 0"
+       style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:0.50455;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
+       d="m 803.40434,64.000628 v -524.414808 0 0"
        id="path207708-4-3" />
     <path
-       style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:0.449183;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
-       d="m 923.40434,64.000588 v -415.635898 0 0"
+       style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:0.50455;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
+       d="m 923.40434,64.000577 v -524.414757 0 0"
        id="path207708-4-3-6" />
     <path
-       style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:0.449183;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
-       d="m 1043.4043,64.000588 v -415.635898 0 0"
+       style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:0.50455;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
+       d="m 1043.4043,64.000577 v -524.414757 0 0"
        id="path207708-4-3-6-2" />
     <path
-       style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:0.449183;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
-       d="m 1163.4043,64.000588 v -415.635898 0 0"
+       style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:0.50455;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
+       d="m 1163.4043,64.000577 v -524.414757 0 0"
        id="path207708-4-3-6-2-8" />
     <path
-       style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:0.449183;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
-       d="m 1283.4043,64.000588 v -415.635898 0 0"
+       style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:0.50455;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
+       d="m 1283.4043,64.000577 v -524.414757 0 0"
        id="path207708-4-3-6-2-8-4" />
     <path
-       style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:0.449183;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
-       d="m 1403.4043,64.000588 v -415.635898 0 0"
+       style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:0.50455;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
+       d="m 1403.4043,64.000577 v -524.414757 0 0"
        id="path207708-4-3-6-2-8-4-3" />
     <path
        style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:0.475347;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
        d="m 1523.4043,64.000568 v -415.757648 0 0"
        id="path207708-4-3-6-2-8-4-3-8" />
     <path
-       style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:0.449183;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
-       d="m 1523.4043,64.000588 v -415.635898 0 0"
+       style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:0.50455;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
+       d="m 1523.4043,64.000577 v -524.414757 0 0"
        id="path207708-4-3-6-2-8-4-3-8-0" />
     <path
-       style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:0.449183;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
-       d="m 1643.3583,64.000578 v -415.635868 0 0"
+       style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:0.50455;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
+       d="m 1643.3583,64.000565 v -524.414715 0 0"
        id="path207708-4-3-6-2-8-4-3-8-4" />
     <path
-       style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:0.449183;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
-       d="m 1763.4043,64.000578 v -415.635868 0 0"
+       style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:0.50455;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
+       d="m 1763.4043,64.000565 v -524.414715 0 0"
        id="path207708-4-3-6-2-8-4-3-8-4-0" />
     <path
-       style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:0.449183;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
-       d="m 443.40434,64.000628 v -415.635938 0 0"
+       style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:0.50455;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
+       d="m 1883.7877,64.878769 v -524.414709 0 0"
+       id="path207708-4-3-6-2-8-4-3-8-4-0-8" />
+    <path
+       style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:0.50455;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
+       d="m 2002.9599,64.984489 v -524.414709 0 0"
+       id="path207708-4-3-6-2-8-4-3-8-4-0-8-8" />
+    <path
+       style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:0.50455;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
+       d="m 2123.2232,62.984489 v -524.414709 0 0"
+       id="path207708-4-3-6-2-8-4-3-8-4-0-8-8-1" />
+    <path
+       style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:0.50455;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
+       d="m 2243.313,63.984489 v -524.414709 0 0"
+       id="path207708-4-3-6-2-8-4-3-8-4-0-8-8-1-9" />
+    <path
+       style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:0.50455;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
+       d="m 443.40434,64.000628 v -524.414808 0 0"
        id="path207708-9" />
     <path
        style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:0.5;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
        d="m 323.40434,64.000608 v -375.000008 0 0"
        id="path207708-9-6" />
     <path
-       style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:0.449183;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
-       d="m 323.40434,64.000618 v -415.635908 0 0"
+       style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:0.50455;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
+       d="m 323.40434,64.000616 v -524.414766 0 0"
        id="path207708-9-6-2" />
     <text
        xml:space="preserve"
@@ -536,7 +560,7 @@
          x="-59.575905"
          y="580.05695" /></text>
     <rect
-       style="fill:#333333;fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:2;stroke-opacity:1;opacity:0.5"
+       style="opacity:0.5;fill:#333333;fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:2;stroke-opacity:1"
        id="rect917-0-0-4-4-9-4"
        width="160.00002"
        height="45.000004"
@@ -584,15 +608,7 @@
          style="font-style:normal;font-variant:normal;font-weight:bold;font-stretch:normal;font-size:13.3333px;font-family:'Liberation Sans';-inkscape-font-specification:'Liberation Sans Bold';text-align:center;text-anchor:middle;fill:#fffefe;fill-opacity:1;stroke:none"
          id="tspan10317-2-9-1-4">4.2</tspan></text>
     <rect
-       style="opacity:0.75;fill:#251f32;fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:2;stroke-opacity:1"
-       id="rect917-0-0-4-4-9-4-5-3-9-2-3"
-       width="140"
-       height="45.000004"
-       x="1043.132"
-       y="-328.2114"
-       ry="2.2558987" />
-    <rect
-       style="opacity:1;fill:#333333;fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:2;stroke-opacity:1"
+       style="opacity:0.5;fill:#333333;fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:2;stroke-opacity:1"
        id="rect917-0-0-4-4-9-4-5-3-9-2-3-6"
        width="140"
        height="45.000004"
@@ -615,22 +631,78 @@
          y="-238.332"
          style="font-style:normal;font-variant:normal;font-weight:bold;font-stretch:normal;font-size:13.3333px;font-family:'Liberation Sans';-inkscape-font-specification:'Liberation Sans Bold';text-align:center;text-anchor:middle;fill:#fffefe;fill-opacity:1;stroke:none"
          id="tspan10317-2-9-1-4-6-5-6">5.1</tspan></text>
+    <rect
+       style="fill:#333333;fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:2;stroke-opacity:1;opacity:0.5"
+       id="rect917-0-0-4-4-9-4-5-3-9-2-3-6-2"
+       width="140"
+       height="45.000004"
+       x="1043.4697"
+       y="-328.48172"
+       ry="2.2558987" />
     <text
        xml:space="preserve"
        style="font-weight:bold;font-size:13.3333px;line-height:125%;font-family:'Nimbus Roman';-inkscape-font-specification:'Nimbus Roman, Bold';letter-spacing:0px;word-spacing:0px;writing-mode:lr-tb;fill:#fffefe;fill-opacity:1;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1"
-       x="1094.2197"
-       y="-309.83084"
-       id="text1185-3-55-4-0-0-0-1-1-6-4-3"><tspan
+       x="1090.4542"
+       y="-309.61823"
+       id="text1185-3-55-4-0-0-0-1-1-6-4-7"><tspan
          sodipodi:role="line"
-         x="1094.2197"
-         y="-309.83084"
+         x="1090.4542"
+         y="-309.61823"
          style="font-style:normal;font-variant:normal;font-weight:bold;font-stretch:normal;font-size:13.3333px;font-family:'Liberation Sans';-inkscape-font-specification:'Liberation Sans Bold';text-align:center;text-anchor:middle;fill:#fffefe;fill-opacity:1;stroke:none"
-         id="tspan957-2-8-6-3-9-7-4-2-0-5">Walnascar</tspan><tspan
+         id="tspan957-2-8-6-3-9-7-4-2-0-0">Walnascar</tspan><tspan
          sodipodi:role="line"
-         x="1094.2197"
-         y="-291.83417"
+         x="1090.4542"
+         y="-291.62155"
          style="font-style:normal;font-variant:normal;font-weight:bold;font-stretch:normal;font-size:13.3333px;font-family:'Liberation Sans';-inkscape-font-specification:'Liberation Sans Bold';text-align:center;text-anchor:middle;fill:#fffefe;fill-opacity:1;stroke:none"
-         id="tspan10317-2-9-1-4-6-5-6-6">5.2</tspan></text>
+         id="tspan10317-2-9-1-4-6-5-6-9">5.2</tspan></text>
+    <rect
+       style="opacity:1;fill:#333333;fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:2;stroke-opacity:1"
+       id="rect917-0-0-4-4-9-4-5-3-9-2-3-67"
+       width="140"
+       height="45.000004"
+       x="1223.8723"
+       y="-382.27469"
+       ry="2.2558987" />
+    <text
+       xml:space="preserve"
+       style="font-weight:bold;font-size:13.3333px;line-height:125%;font-family:'Nimbus Roman';-inkscape-font-specification:'Nimbus Roman, Bold';letter-spacing:0px;word-spacing:0px;writing-mode:lr-tb;fill:#fffefe;fill-opacity:1;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1"
+       x="1275.2014"
+       y="-363.89413"
+       id="text1185-3-55-4-0-0-0-1-1-6-4-3-53"><tspan
+         sodipodi:role="line"
+         x="1275.2014"
+         y="-363.89413"
+         style="font-style:normal;font-variant:normal;font-weight:bold;font-stretch:normal;font-size:13.3333px;font-family:'Liberation Sans';-inkscape-font-specification:'Liberation Sans Bold';text-align:center;text-anchor:middle;fill:#fffefe;fill-opacity:1;stroke:none"
+         id="tspan957-2-8-6-3-9-7-4-2-0-5-5">Whinlatter</tspan><tspan
+         sodipodi:role="line"
+         x="1275.2014"
+         y="-345.89746"
+         style="font-style:normal;font-variant:normal;font-weight:bold;font-stretch:normal;font-size:13.3333px;font-family:'Liberation Sans';-inkscape-font-specification:'Liberation Sans Bold';text-align:center;text-anchor:middle;fill:#fffefe;fill-opacity:1;stroke:none"
+         id="tspan10317-2-9-1-4-6-5-6-6-6">5.3</tspan></text>
+    <rect
+       style="opacity:0.75;fill:#251f32;fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:5.29752;stroke-opacity:1"
+       id="rect917-0-0-4-4-9-4-5-3-9-2-3-67-6"
+       width="982.23163"
+       height="45.000004"
+       x="1283.7023"
+       y="-436.77539"
+       ry="2.2558987" />
+    <text
+       xml:space="preserve"
+       style="font-weight:bold;font-size:13.3333px;line-height:125%;font-family:'Nimbus Roman';-inkscape-font-specification:'Nimbus Roman, Bold';letter-spacing:0px;word-spacing:0px;writing-mode:lr-tb;fill:#fffefe;fill-opacity:1;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1"
+       x="1335.1118"
+       y="-418.39484"
+       id="text1185-3-55-4-0-0-0-1-1-6-4-3-53-0"><tspan
+         sodipodi:role="line"
+         x="1335.1118"
+         y="-418.39484"
+         style="font-style:normal;font-variant:normal;font-weight:bold;font-stretch:normal;font-size:13.3333px;font-family:'Liberation Sans';-inkscape-font-specification:'Liberation Sans Bold';text-align:center;text-anchor:middle;fill:#fffefe;fill-opacity:1;stroke:none"
+         id="tspan957-2-8-6-3-9-7-4-2-0-5-5-6">Wrynose</tspan><tspan
+         sodipodi:role="line"
+         x="1335.1118"
+         y="-400.39816"
+         style="font-style:normal;font-variant:normal;font-weight:bold;font-stretch:normal;font-size:13.3333px;font-family:'Liberation Sans';-inkscape-font-specification:'Liberation Sans Bold';text-align:center;text-anchor:middle;fill:#fffefe;fill-opacity:1;stroke:none"
+         id="tspan10317-2-9-1-4-6-5-6-6-6-2">6.0</tspan></text>
     <g
        id="g1591"
        transform="translate(-516.59566,64.000598)">
@@ -681,7 +753,7 @@
          id="tspan10317-2-9-0-1">5.0</tspan></text>
     <g
        id="g1125-0"
-       transform="matrix(0.42240595,0,0,0.41654472,330.77064,-441.11721)"
+       transform="matrix(0.42240595,0,0,0.41654472,330.77064,-497.11721)"
        style="stroke:none;stroke-width:2.38399">
       <rect
          style="opacity:1;fill:#333333;fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:4.76797;stroke-opacity:1"
@@ -923,8 +995,8 @@
          y="345.7359" /></text>
     <path
        id="path29430"
-       style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:1.72671;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
-       d="M 307.54809,63.999718 H 1783.4043 Z" />
+       style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:1.99503;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
+       d="M 307.54809,63.999718 H 2277.72 Z" />
     <path
        style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:2;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
        d="m 323.40434,64.000618 v 9.99995 0"
@@ -1437,50 +1509,324 @@
        style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:2;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
        d="m 1763.4043,64.000578 v 9.99999 0"
        id="path29548-5-1-3-6-3-1-0-3-4-2-0-0" />
+    <text
+       xml:space="preserve"
+       style="font-weight:bold;font-size:13.3333px;line-height:125%;font-family:'Nimbus Roman';-inkscape-font-specification:'Nimbus Roman, Bold';letter-spacing:0px;word-spacing:0px;writing-mode:lr-tb;fill:#000000;fill-opacity:1;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1"
+       x="1885.6029"
+       y="94.285194"
+       id="text1185-9-7-1-1-8-1-0-4-2-8-2"><tspan
+         sodipodi:role="line"
+         x="1885.6029"
+         y="94.285194"
+         style="font-style:normal;font-variant:normal;font-weight:bold;font-stretch:normal;font-size:13.3333px;font-family:'Liberation Sans';-inkscape-font-specification:'Liberation Sans, Bold';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-east-asian:normal;text-align:center;text-anchor:middle;stroke:none"
+         id="tspan31345-4-0-4-81-5-2-8">Oct.</tspan><tspan
+         sodipodi:role="line"
+         x="1885.6029"
+         y="112.28188"
+         style="font-style:normal;font-variant:normal;font-weight:bold;font-stretch:normal;font-size:13.3333px;font-family:'Liberation Sans';-inkscape-font-specification:'Liberation Sans, Bold';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-east-asian:normal;text-align:center;text-anchor:middle;stroke:none"
+         id="tspan49906-7-3-8-2-8-9-9">2028</tspan></text>
+    <g
+       id="g1267-4-5-2-7"
+       transform="translate(563.45518,-155.9782)">
+      <path
+         style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:2;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
+         d="m 1200,220.00002 v 9.99999 0"
+         id="path29548-5-1-3-6-3-1-0-3-4-1-3" />
+      <path
+         style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:1;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
+         d="m 1220,219.99997 v 5.00004 0"
+         id="path29548-8-5-0-6-4-6-2-9-0-8-1-3-1-9-6-9-3-4-0-4-6-2-2-7-6-1-9-0-5-0-0-5-6"
+         inkscape:transform-center-x="14.782001"
+         inkscape:transform-center-y="-0.085282837" />
+      <path
+         style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:1;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
+         d="m 1240,219.99997 v 5.00004 0"
+         id="path29548-8-5-0-6-4-6-2-9-0-8-1-3-1-9-6-9-3-4-0-4-6-2-2-7-6-1-9-9-7-5-3-5-9-1"
+         inkscape:transform-center-x="14.782001"
+         inkscape:transform-center-y="-0.085282837" />
+      <path
+         style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:1;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
+         d="m 1260,219.99997 v 5.00004 0"
+         id="path29548-8-5-0-6-4-6-2-9-0-8-1-3-1-9-6-9-3-4-0-4-6-2-2-7-6-1-9-9-1-5-2-0-9-9-2"
+         inkscape:transform-center-x="14.782001"
+         inkscape:transform-center-y="-0.085282837" />
+      <path
+         style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:1;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
+         d="m 1280,219.99997 v 5.00004 0"
+         id="path29548-8-5-0-6-4-6-2-9-0-8-1-3-1-9-6-9-3-4-0-4-6-2-2-7-6-1-9-9-1-4-8-9-9-4-1-9"
+         inkscape:transform-center-x="14.782001"
+         inkscape:transform-center-y="-0.085282837" />
+      <path
+         style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:1;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
+         d="m 1299.7216,219.99997 v 5.00004 0"
+         id="path29548-8-5-0-6-4-6-2-9-0-8-1-3-1-9-6-9-3-4-0-4-6-2-2-7-6-1-9-9-1-4-9-7-0-2-6-4-3"
+         inkscape:transform-center-x="-14.78205"
+         inkscape:transform-center-y="-0.085282837" />
+    </g>
+    <path
+       style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:2;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
+       d="m 1883.4551,64.021829 v 9.99999 0"
+       id="path29548-5-1-3-6-3-1-0-3-4-2-0-0-1" />
+    <text
+       xml:space="preserve"
+       style="font-weight:bold;font-size:13.3333px;line-height:125%;font-family:'Nimbus Roman';-inkscape-font-specification:'Nimbus Roman, Bold';letter-spacing:0px;word-spacing:0px;writing-mode:lr-tb;fill:#000000;fill-opacity:1;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1"
+       x="2005.5908"
+       y="94.339828"
+       id="text1185-9-7-1-1-8-1-0-4-2-8-2-4"><tspan
+         sodipodi:role="line"
+         x="2005.5908"
+         y="94.339828"
+         style="font-style:normal;font-variant:normal;font-weight:bold;font-stretch:normal;font-size:13.3333px;font-family:'Liberation Sans';-inkscape-font-specification:'Liberation Sans, Bold';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-east-asian:normal;text-align:center;text-anchor:middle;stroke:none"
+         id="tspan31345-4-0-4-81-5-2-8-7">Apr.</tspan><tspan
+         sodipodi:role="line"
+         x="2005.5908"
+         y="112.33651"
+         style="font-style:normal;font-variant:normal;font-weight:bold;font-stretch:normal;font-size:13.3333px;font-family:'Liberation Sans';-inkscape-font-specification:'Liberation Sans, Bold';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-east-asian:normal;text-align:center;text-anchor:middle;stroke:none"
+         id="tspan49906-7-3-8-2-8-9-9-8">2029</tspan></text>
+    <g
+       id="g1267-4-5-2-7-4"
+       transform="translate(683.44312,-155.92356)">
+      <path
+         style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:2;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
+         d="m 1200,220.00002 v 9.99999 0"
+         id="path29548-5-1-3-6-3-1-0-3-4-1-3-5" />
+      <path
+         style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:1;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
+         d="m 1220,219.99997 v 5.00004 0"
+         id="path29548-8-5-0-6-4-6-2-9-0-8-1-3-1-9-6-9-3-4-0-4-6-2-2-7-6-1-9-0-5-0-0-5-6-0"
+         inkscape:transform-center-x="14.782001"
+         inkscape:transform-center-y="-0.085282837" />
+      <path
+         style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:1;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
+         d="m 1240,219.99997 v 5.00004 0"
+         id="path29548-8-5-0-6-4-6-2-9-0-8-1-3-1-9-6-9-3-4-0-4-6-2-2-7-6-1-9-9-7-5-3-5-9-1-3"
+         inkscape:transform-center-x="14.782001"
+         inkscape:transform-center-y="-0.085282837" />
+      <path
+         style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:1;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
+         d="m 1260,219.99997 v 5.00004 0"
+         id="path29548-8-5-0-6-4-6-2-9-0-8-1-3-1-9-6-9-3-4-0-4-6-2-2-7-6-1-9-9-1-5-2-0-9-9-2-6"
+         inkscape:transform-center-x="14.782001"
+         inkscape:transform-center-y="-0.085282837" />
+      <path
+         style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:1;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
+         d="m 1280,219.99997 v 5.00004 0"
+         id="path29548-8-5-0-6-4-6-2-9-0-8-1-3-1-9-6-9-3-4-0-4-6-2-2-7-6-1-9-9-1-4-8-9-9-4-1-9-1"
+         inkscape:transform-center-x="14.782001"
+         inkscape:transform-center-y="-0.085282837" />
+      <path
+         style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:1;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
+         d="m 1299.7216,219.99997 v 5.00004 0"
+         id="path29548-8-5-0-6-4-6-2-9-0-8-1-3-1-9-6-9-3-4-0-4-6-2-2-7-6-1-9-9-1-4-9-7-0-2-6-4-3-0"
+         inkscape:transform-center-x="-14.78205"
+         inkscape:transform-center-y="-0.085282837" />
+    </g>
+    <path
+       style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:2;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
+       d="m 2003.443,64.076464 v 9.99999 0"
+       id="path29548-5-1-3-6-3-1-0-3-4-2-0-0-1-6" />
+    <text
+       xml:space="preserve"
+       style="font-weight:bold;font-size:13.3333px;line-height:125%;font-family:'Nimbus Roman';-inkscape-font-specification:'Nimbus Roman, Bold';letter-spacing:0px;word-spacing:0px;writing-mode:lr-tb;fill:#000000;fill-opacity:1;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1"
+       x="2125.6079"
+       y="94.692207"
+       id="text1185-9-7-1-1-8-1-0-4-2-8-2-4-2"><tspan
+         sodipodi:role="line"
+         x="2125.6079"
+         y="94.692207"
+         style="font-style:normal;font-variant:normal;font-weight:bold;font-stretch:normal;font-size:13.3333px;font-family:'Liberation Sans';-inkscape-font-specification:'Liberation Sans, Bold';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-east-asian:normal;text-align:center;text-anchor:middle;stroke:none"
+         id="tspan31345-4-0-4-81-5-2-8-7-0">Oct.</tspan><tspan
+         sodipodi:role="line"
+         x="2125.6079"
+         y="112.68889"
+         style="font-style:normal;font-variant:normal;font-weight:bold;font-stretch:normal;font-size:13.3333px;font-family:'Liberation Sans';-inkscape-font-specification:'Liberation Sans, Bold';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-east-asian:normal;text-align:center;text-anchor:middle;stroke:none"
+         id="tspan49906-7-3-8-2-8-9-9-8-6">2029</tspan></text>
+    <g
+       id="g1267-4-5-2-7-4-1"
+       transform="translate(803.46019,-155.57118)">
+      <path
+         style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:2;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
+         d="m 1200,220.00002 v 9.99999 0"
+         id="path29548-5-1-3-6-3-1-0-3-4-1-3-5-5" />
+      <path
+         style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:1;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
+         d="m 1220,219.99997 v 5.00004 0"
+         id="path29548-8-5-0-6-4-6-2-9-0-8-1-3-1-9-6-9-3-4-0-4-6-2-2-7-6-1-9-0-5-0-0-5-6-0-5"
+         inkscape:transform-center-x="14.782001"
+         inkscape:transform-center-y="-0.085282837" />
+      <path
+         style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:1;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
+         d="m 1240,219.99997 v 5.00004 0"
+         id="path29548-8-5-0-6-4-6-2-9-0-8-1-3-1-9-6-9-3-4-0-4-6-2-2-7-6-1-9-9-7-5-3-5-9-1-3-4"
+         inkscape:transform-center-x="14.782001"
+         inkscape:transform-center-y="-0.085282837" />
+      <path
+         style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:1;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
+         d="m 1260,219.99997 v 5.00004 0"
+         id="path29548-8-5-0-6-4-6-2-9-0-8-1-3-1-9-6-9-3-4-0-4-6-2-2-7-6-1-9-9-1-5-2-0-9-9-2-6-7"
+         inkscape:transform-center-x="14.782001"
+         inkscape:transform-center-y="-0.085282837" />
+      <path
+         style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:1;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
+         d="m 1280,219.99997 v 5.00004 0"
+         id="path29548-8-5-0-6-4-6-2-9-0-8-1-3-1-9-6-9-3-4-0-4-6-2-2-7-6-1-9-9-1-4-8-9-9-4-1-9-1-6"
+         inkscape:transform-center-x="14.782001"
+         inkscape:transform-center-y="-0.085282837" />
+      <path
+         style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:1;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
+         d="m 1299.7216,219.99997 v 5.00004 0"
+         id="path29548-8-5-0-6-4-6-2-9-0-8-1-3-1-9-6-9-3-4-0-4-6-2-2-7-6-1-9-9-1-4-9-7-0-2-6-4-3-0-5"
+         inkscape:transform-center-x="-14.78205"
+         inkscape:transform-center-y="-0.085282837" />
+    </g>
+    <path
+       style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:2;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
+       d="m 2123.4601,64.428843 v 9.99999 0"
+       id="path29548-5-1-3-6-3-1-0-3-4-2-0-0-1-6-6" />
+    <path
+       style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:2;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
+       d="m 2123.3825,64.223284 v 9.99999 0"
+       id="path29548-5-1-3-6-3-1-0-3-4-2-0-0-1-6-3" />
+    <text
+       xml:space="preserve"
+       style="font-weight:bold;font-size:13.3333px;line-height:125%;font-family:'Nimbus Roman';-inkscape-font-specification:'Nimbus Roman, Bold';letter-spacing:0px;word-spacing:0px;writing-mode:lr-tb;fill:#000000;fill-opacity:1;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1"
+       x="2245.5474"
+       y="94.839027"
+       id="text1185-9-7-1-1-8-1-0-4-2-8-2-4-2-7"><tspan
+         sodipodi:role="line"
+         x="2245.5474"
+         y="94.839027"
+         style="font-style:normal;font-variant:normal;font-weight:bold;font-stretch:normal;font-size:13.3333px;font-family:'Liberation Sans';-inkscape-font-specification:'Liberation Sans, Bold';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-east-asian:normal;text-align:center;text-anchor:middle;stroke:none"
+         id="tspan31345-4-0-4-81-5-2-8-7-0-4">Apr.</tspan><tspan
+         sodipodi:role="line"
+         x="2245.5474"
+         y="112.83571"
+         style="font-style:normal;font-variant:normal;font-weight:bold;font-stretch:normal;font-size:13.3333px;font-family:'Liberation Sans';-inkscape-font-specification:'Liberation Sans, Bold';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-east-asian:normal;text-align:center;text-anchor:middle;stroke:none"
+         id="tspan49906-7-3-8-2-8-9-9-8-6-5">2030</tspan></text>
+    <g
+       id="g1267-4-5-2-7-4-1-2"
+       transform="translate(923.39972,-155.42436)">
+      <path
+         style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:2;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
+         d="m 1200,220.00002 v 9.99999 0"
+         id="path29548-5-1-3-6-3-1-0-3-4-1-3-5-5-5" />
+      <path
+         style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:1;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
+         d="m 1220,219.99997 v 5.00004 0"
+         id="path29548-8-5-0-6-4-6-2-9-0-8-1-3-1-9-6-9-3-4-0-4-6-2-2-7-6-1-9-0-5-0-0-5-6-0-5-4"
+         inkscape:transform-center-x="14.782001"
+         inkscape:transform-center-y="-0.085282837" />
+      <path
+         style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:1;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
+         d="m 1240,219.99997 v 5.00004 0"
+         id="path29548-8-5-0-6-4-6-2-9-0-8-1-3-1-9-6-9-3-4-0-4-6-2-2-7-6-1-9-9-7-5-3-5-9-1-3-4-7"
+         inkscape:transform-center-x="14.782001"
+         inkscape:transform-center-y="-0.085282837" />
+      <path
+         style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:1;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
+         d="m 1260,219.99997 v 5.00004 0"
+         id="path29548-8-5-0-6-4-6-2-9-0-8-1-3-1-9-6-9-3-4-0-4-6-2-2-7-6-1-9-9-1-5-2-0-9-9-2-6-7-4"
+         inkscape:transform-center-x="14.782001"
+         inkscape:transform-center-y="-0.085282837" />
+      <path
+         style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:1;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
+         d="m 1280,219.99997 v 5.00004 0"
+         id="path29548-8-5-0-6-4-6-2-9-0-8-1-3-1-9-6-9-3-4-0-4-6-2-2-7-6-1-9-9-1-4-8-9-9-4-1-9-1-6-4"
+         inkscape:transform-center-x="14.782001"
+         inkscape:transform-center-y="-0.085282837" />
+      <path
+         style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:1;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
+         d="m 1299.7216,219.99997 v 5.00004 0"
+         id="path29548-8-5-0-6-4-6-2-9-0-8-1-3-1-9-6-9-3-4-0-4-6-2-2-7-6-1-9-9-1-4-9-7-0-2-6-4-3-0-5-3"
+         inkscape:transform-center-x="-14.78205"
+         inkscape:transform-center-y="-0.085282837" />
+    </g>
+    <g
+       id="g1267-4-5-2-7-4-1-2-0"
+       transform="translate(1043.3579,-155.33829)">
+      <path
+         style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:2;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
+         d="m 1200,220.00002 v 9.99999 0"
+         id="path29548-5-1-3-6-3-1-0-3-4-1-3-5-5-5-6" />
+      <path
+         style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:1;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
+         d="m 1220,219.99997 v 5.00004 0"
+         id="path29548-8-5-0-6-4-6-2-9-0-8-1-3-1-9-6-9-3-4-0-4-6-2-2-7-6-1-9-0-5-0-0-5-6-0-5-4-8"
+         inkscape:transform-center-x="14.782001"
+         inkscape:transform-center-y="-0.085282837" />
+      <path
+         style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:1;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
+         d="m 1240,219.99997 v 5.00004 0"
+         id="path29548-8-5-0-6-4-6-2-9-0-8-1-3-1-9-6-9-3-4-0-4-6-2-2-7-6-1-9-9-7-5-3-5-9-1-3-4-7-9"
+         inkscape:transform-center-x="14.782001"
+         inkscape:transform-center-y="-0.085282837" />
+      <path
+         style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:1;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
+         d="m 1260,219.99997 v 5.00004 0"
+         id="path29548-8-5-0-6-4-6-2-9-0-8-1-3-1-9-6-9-3-4-0-4-6-2-2-7-6-1-9-9-1-5-2-0-9-9-2-6-7-4-2"
+         inkscape:transform-center-x="14.782001"
+         inkscape:transform-center-y="-0.085282837" />
+      <path
+         style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:1;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
+         d="m 1280,219.99997 v 5.00004 0"
+         id="path29548-8-5-0-6-4-6-2-9-0-8-1-3-1-9-6-9-3-4-0-4-6-2-2-7-6-1-9-9-1-4-8-9-9-4-1-9-1-6-4-6"
+         inkscape:transform-center-x="14.782001"
+         inkscape:transform-center-y="-0.085282837" />
+      <path
+         style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:1;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
+         d="m 1299.7216,219.99997 v 5.00004 0"
+         id="path29548-8-5-0-6-4-6-2-9-0-8-1-3-1-9-6-9-3-4-0-4-6-2-2-7-6-1-9-9-1-4-9-7-0-2-6-4-3-0-5-3-6"
+         inkscape:transform-center-x="-14.78205"
+         inkscape:transform-center-y="-0.085282837" />
+    </g>
+    <path
+       style="fill:none;fill-rule:evenodd;stroke:#000000;stroke-width:2;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
+       d="m 2243.3996,64.575663 v 9.99999 0"
+       id="path29548-5-1-3-6-3-1-0-3-4-2-0-0-1-6-6-0" />
     <rect
        style="opacity:0.75;fill:#241f31;fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:0.751473;stroke-opacity:1"
        id="rect917-0-0-4-4-9-4-5-3-9-2-36"
        width="38.418175"
        height="23.151052"
-       x="1605.6135"
-       y="-41.172161"
+       x="2047.6135"
+       y="-45.172161"
        ry="1.1605872" />
     <rect
        style="opacity:1;fill:#ffffff;fill-opacity:1;fill-rule:evenodd;stroke:#000000;stroke-width:1.98878;stroke-dasharray:none;stroke-opacity:1"
        id="rect917-0-0-4-4-9-4-5-3-9-2-36-7"
        width="186.42949"
        height="110.40546"
-       x="1594.5294"
-       y="-73.753708"
+       x="2036.5294"
+       y="-77.753708"
        ry="5.5347452" />
     <rect
        style="opacity:0.75;fill:#241f31;fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:0.50949;stroke-opacity:1"
        id="rect917-0-0-4-4-9-4-5-3-9-2-6"
        width="21.197233"
        height="19.28739"
-       x="1611.8163"
-       y="-41.883858"
+       x="2053.8164"
+       y="-45.883858"
        ry="0.96689767" />
     <text
        xml:space="preserve"
        style="font-weight:bold;font-size:13.3333px;line-height:125%;font-family:'Nimbus Roman';-inkscape-font-specification:'Nimbus Roman, Bold';letter-spacing:0px;word-spacing:0px;writing-mode:lr-tb;fill:#fffefe;fill-opacity:1;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1"
-       x="1690.4917"
-       y="-53.687912"
+       x="2132.4917"
+       y="-57.687912"
        id="text1185-3-55-4-0-0-0-1-1-6-4-3-5"><tspan
          sodipodi:role="line"
-         x="1690.4917"
-         y="-53.687912"
+         x="2132.4917"
+         y="-57.687912"
          style="font-style:normal;font-variant:normal;font-weight:bold;font-stretch:normal;font-size:13.3333px;font-family:'Liberation Sans';-inkscape-font-specification:'Liberation Sans Bold';text-align:center;text-anchor:middle;fill:#000000;fill-opacity:1;stroke:none"
          id="tspan10317-2-9-1-4-6-5-6-6-5">Legend</tspan></text>
     <text
        xml:space="preserve"
        style="font-weight:bold;font-size:13.3333px;line-height:125%;font-family:'Nimbus Roman';-inkscape-font-specification:'Nimbus Roman, Bold';letter-spacing:0px;word-spacing:0px;writing-mode:lr-tb;fill:#fffefe;fill-opacity:1;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1"
-       x="1656.0988"
-       y="-27.899874"
+       x="2098.0986"
+       y="-31.899874"
        id="text1185-3-55-4-0-0-0-1-1-6-4-3-5-2"><tspan
          sodipodi:role="line"
-         x="1656.0988"
-         y="-27.899874"
+         x="2098.0986"
+         y="-31.899874"
          style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:13.3333px;font-family:'Liberation Sans';-inkscape-font-specification:'Liberation Sans';text-align:center;text-anchor:middle;fill:#000000;fill-opacity:1;stroke:none"
          id="tspan10317-2-9-1-4-6-5-6-6-5-9">Future</tspan></text>
     <rect
@@ -1488,38 +1834,38 @@
        id="rect917-0-0-4-4-9-4-5-3-9-2-6-1"
        width="21.197233"
        height="19.28739"
-       x="1611.8671"
-       y="-17.756365"
+       x="2053.8672"
+       y="-21.756365"
        ry="0.96689767" />
     <text
        xml:space="preserve"
        style="font-weight:bold;font-size:13.3333px;line-height:125%;font-family:'Nimbus Roman';-inkscape-font-specification:'Nimbus Roman, Bold';letter-spacing:0px;word-spacing:0px;writing-mode:lr-tb;fill:#fffefe;fill-opacity:1;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1"
-       x="1686.7159"
-       y="-3.6722763"
+       x="2128.7158"
+       y="-7.6722765"
        id="text1185-3-55-4-0-0-0-1-1-6-4-3-5-2-2"><tspan
          sodipodi:role="line"
-         x="1686.7159"
-         y="-3.6722763"
+         x="2128.7158"
+         y="-7.6722765"
          style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:13.3333px;font-family:'Liberation Sans';-inkscape-font-specification:'Liberation Sans';text-align:center;text-anchor:middle;fill:#000000;fill-opacity:1;stroke:none"
-         id="tspan10317-2-9-1-4-6-5-6-6-5-9-7">Current (Oct. 24)</tspan></text>
+         id="tspan10317-2-9-1-4-6-5-6-6-5-9-7">Current (Dec. 25)</tspan></text>
     <text
        xml:space="preserve"
        style="font-weight:bold;font-size:13.3333px;line-height:125%;font-family:'Nimbus Roman';-inkscape-font-specification:'Nimbus Roman, Bold';letter-spacing:0px;word-spacing:0px;writing-mode:lr-tb;fill:#fffefe;fill-opacity:1;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1"
-       x="1667.363"
-       y="20.03771"
+       x="2109.363"
+       y="16.03771"
        id="text1185-3-55-4-0-0-0-1-1-6-4-3-5-2-2-9"><tspan
          sodipodi:role="line"
-         x="1667.363"
-         y="20.03771"
+         x="2109.363"
+         y="16.03771"
          style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:13.3333px;font-family:'Liberation Sans';-inkscape-font-specification:'Liberation Sans';text-align:center;text-anchor:middle;fill:#000000;fill-opacity:1;stroke:none"
          id="tspan10317-2-9-1-4-6-5-6-6-5-9-7-3">End-of-life</tspan></text>
     <rect
-       style="fill:#333333;fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:0.50949;stroke-opacity:1;opacity:0.5"
+       style="opacity:0.5;fill:#333333;fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:0.50949;stroke-opacity:1"
        id="rect917-0-0-4-4-9-4-5-3-9-2-6-1-0"
        width="21.197233"
        height="19.28739"
-       x="1612.0239"
-       y="5.9667883"
+       x="2054.0239"
+       y="1.9667883"
        ry="0.96689767" />
     <rect
        style="opacity:0.5;fill:#333333;fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1.85786;stroke-opacity:1"

documentation/ref-manual/system-requirements.rst

@@ -58,20 +58,35 @@ Supported Linux Distributions
 Currently, the &DISTRO; release ("&DISTRO_NAME;") of the Yocto Project is
 supported on the following distributions:
 
--  Ubuntu 20.04 (LTS)
-
--  Ubuntu 22.04 (LTS)
-
--  Fedora 38
-
--  Debian GNU/Linux 11.x (Bullseye)
+..
+   Can be generated with yocto-autobuilder-helper's scripts/yocto-supported-distros:
+   yocto-supported-distros --release kirkstone --config yocto-autobuilder2/config.py --output-format docs --poky-distros
 
 -  AlmaLinux 8
+-  AlmaLinux 9
+-  Debian 11
+-  Debian 12
+-  Fedora 39
+-  Fedora 40
+-  Fedora 41
+-  Rocky Linux 8
+-  Rocky Linux 9
+-  Ubuntu 20.04 (LTS)
+-  Ubuntu 22.04 (LTS)
+-  Ubuntu 24.04 (LTS)
+-  Ubuntu 24.10
 
 The following distribution versions are still tested, even though the
 organizations publishing them no longer make updates publicly available:
 
--  Ubuntu 18.04 (LTS)
+..
+   This list contains EOL distros that are still tested on the Autobuilder
+   (meaning there are running workers for them).
+   See https://endoflife.date for information of EOL releases.
+
+-  Fedora 39
+-  Fedora 40
+-  Ubuntu 20.04 (LTS)
 
 Note that the Yocto Project doesn't have access to private updates
 that some of these versions may have. Therefore, our testing has
@@ -80,19 +95,33 @@ limited value if you have access to such updates.
 Finally, here are the distribution versions which were previously
 tested on former revisions of "&DISTRO_NAME;", but no longer are:
 
--  Ubuntu 18.04 (LTS)
-
--  Ubuntu 20.04 (LTS)
-
--  Ubuntu 22.04 (LTS)
+..
+   Can be generated with yocto-autobuilder-helper's scripts/yocto-supported-distros:
+   yocto-supported-distros --release kirkstone --config yocto-autobuilder2/config.py --output-format docs --old-distros
 
+-  CentOS 7
+-  CentOS 8
+-  Debian 10
+-  Debian 8
+-  Debian 9
+-  Fedora 29
+-  Fedora 30
+-  Fedora 31
+-  Fedora 32
+-  Fedora 33
+-  Fedora 34
+-  Fedora 35
+-  Fedora 36
 -  Fedora 37
-
--  Debian GNU/Linux 11.x (Bookworm)
-
+-  Fedora 38
+-  OpenSUSE Leap 15.0
+-  OpenSUSE Leap 15.1
+-  OpenSUSE Leap 15.2
 -  OpenSUSE Leap 15.3
-
--  AlmaLinux 8
+-  Ubuntu 16.04
+-  Ubuntu 18.04
+-  Ubuntu 19.04
+-  Ubuntu 21.10
 
 .. note::
 

documentation/ref-manual/tasks.rst

@@ -740,7 +740,7 @@ tool, which you then use to modify the kernel configuration.
            $ bitbake linux-yocto -c menuconfig
 
 
-See the ":ref:`kernel-dev/common:using \`\`menuconfig\`\``"
+See the ":ref:`kernel-dev/common:using ``menuconfig```"
 section in the Yocto Project Linux Kernel Development Manual for more
 information on this configuration tool.
 
@@ -764,7 +764,7 @@ which can then be applied by subsequent tasks such as
 
 Runs ``make menuconfig`` for the kernel. For information on
 ``menuconfig``, see the
-":ref:`kernel-dev/common:using \`\`menuconfig\`\``"
+":ref:`kernel-dev/common:using ``menuconfig```"
 section in the Yocto Project Linux Kernel Development Manual.
 
 .. _ref-tasks-savedefconfig:

documentation/ref-manual/terms.rst

@@ -63,7 +63,7 @@ universal, the list includes them just in case:
       This term refers to the area used by the OpenEmbedded build system for
       builds. The area is created when you ``source`` the setup environment
       script that is found in the Source Directory
-      (i.e. :ref:`ref-manual/structure:\`\`oe-init-build-env\`\``). The
+      (i.e. :ref:`ref-manual/structure:``oe-init-build-env```). The
       :term:`TOPDIR` variable points to the Build Directory.
 
       You have a lot of flexibility when creating the :term:`Build Directory`.

documentation/ref-manual/variables.rst

@@ -1097,6 +1097,17 @@ system and gives an overview of their function and contents.
    :term:`CC`
       The minimal command and arguments used to run the C compiler.
 
+   :term:`CCACHE_DISABLE`
+      When inheriting the :ref:`ref-classes-ccache` class, the
+      :term:`CCACHE_DISABLE` variable can be set to "1" in a recipe to disable
+      `Ccache` support. This is useful when the recipe is known to not support it.
+
+   :term:`CCACHE_TOP_DIR`
+      When inheriting the :ref:`ref-classes-ccache` class, the
+      :term:`CCACHE_TOP_DIR` variable can be set to the location of where
+      `Ccache` stores its cache files. This directory can be shared between
+      builds.
+
    :term:`CFLAGS`
       Specifies the flags to pass to the C compiler. This variable is
       exported to an environment variable and thus made visible to the
@@ -1806,7 +1817,7 @@ system and gives an overview of their function and contents.
       ``${TMPDIR}/deploy``.
 
       For more information on the structure of the Build Directory, see
-      ":ref:`ref-manual/structure:the build directory --- \`\`build/\`\``" section.
+      ":ref:`ref-manual/structure:the build directory --- ``build/```" section.
       For more detail on the contents of the ``deploy`` directory, see the
       ":ref:`overview-manual/concepts:images`",
       ":ref:`overview-manual/concepts:package feeds`", and
@@ -1850,7 +1861,7 @@ system and gives an overview of their function and contents.
       <ref-classes-image>` class.
 
       For more information on the structure of the Build Directory, see
-      ":ref:`ref-manual/structure:the build directory --- \`\`build/\`\``" section.
+      ":ref:`ref-manual/structure:the build directory --- ``build/```" section.
       For more detail on the contents of the ``deploy`` directory, see the
       ":ref:`overview-manual/concepts:images`" and
       ":ref:`overview-manual/concepts:application development sdk`" sections both in
@@ -2801,6 +2812,10 @@ system and gives an overview of their function and contents.
       For guidance on how to create your own file permissions settings
       table file, examine the existing ``fs-perms.txt``.
 
+   :term:`FIT_CONF_PREFIX`
+      When using the :ref:`ref-classes-kernel-fitimage`, this is the prefix
+      used for creating FIT configuration nodes. Its default value is "conf-".
+
    :term:`FIT_DESC`
       Specifies the description string encoded into a fitImage. The default
       value is set by the :ref:`kernel-fitimage <ref-classes-kernel-fitimage>`
@@ -3305,6 +3320,24 @@ system and gives an overview of their function and contents.
       variable, see the :ref:`image_types <ref-classes-image_types>`
       class file, which is ``meta/classes/image_types.bbclass``.
 
+   :term:`IMAGE_CONTAINER_NO_DUMMY`
+      When an image recipe has the ``container`` image type in
+      :term:`IMAGE_FSTYPES`, it expects the :term:`PREFERRED_PROVIDER` for
+      the Linux kernel (``virtual/kernel``) to be set to ``linux-dummy`` from a
+      :term:`configuration file`. Otherwise, an error is triggered.
+
+      When set to "1", the :term:`IMAGE_CONTAINER_NO_DUMMY` variable allows the
+      :term:`PREFERRED_PROVIDER` variable to be set to another value, thus
+      skipping the check and not triggering the build error. Any other value
+      will keep the check.
+
+      This variable should be set from the image recipe using the ``container``
+      image type.
+
+      See the documentation of the :ref:`ref-classes-image-container` class for
+      more information on why setting the :term:`PREFERRED_PROVIDER` to
+      ``linux-dummy`` is advised with this class.
+
    :term:`IMAGE_DEVICE_TABLES`
       Specifies one or more files that contain custom device tables that
       are passed to the ``makedevs`` command as part of creating an image.
@@ -3531,6 +3564,12 @@ system and gives an overview of their function and contents.
       added to the image by using the :term:`IMAGE_ROOTFS_EXTRA_SPACE`
       variable.
 
+      When using Wic tool, beware that a second overhead factor is also applied.
+      This overhead value is defined by the ``--overhead-factor`` option, which
+      defaults to "1.3" when omitted. See the
+      :ref:`ref-manual/kickstart:command: part or partition` chapter in
+      :doc:`/ref-manual/kickstart` for details.
+
    :term:`IMAGE_PKGTYPE`
       Defines the package type (i.e. DEB, RPM, IPK, or TAR) used by the
       OpenEmbedded build system. The variable is defined appropriately by
@@ -3617,6 +3656,36 @@ system and gives an overview of their function and contents.
 
          IMAGE_ROOTFS_EXTRA_SPACE = "41943040"
 
+   :term:`IMAGE_ROOTFS_MAXSIZE`
+      Defines the maximum allowed size of the generated image in kilobytes.
+      The build will fail if the generated image size exceeds this value.
+
+      The generated image size undergoes several calculation steps before being
+      compared to :term:`IMAGE_ROOTFS_MAXSIZE`.
+      In the first step, the size of the directory pointed to by :term:`IMAGE_ROOTFS`
+      is calculated.
+      In the second step, the result from the first step is multiplied
+      by :term:`IMAGE_OVERHEAD_FACTOR`.
+      In the third step, the result from the second step is compared with
+      :term:`IMAGE_ROOTFS_SIZE`. The larger value of these is added to
+      :term:`IMAGE_ROOTFS_EXTRA_SPACE`.
+      In the fourth step, the result from the third step is checked for
+      a decimal part. If it has one, it is rounded up to the next integer.
+      If it does not, it is simply converted into an integer.
+      In the fifth step, the :term:`IMAGE_ROOTFS_ALIGNMENT` is added to the result
+      from the fourth step and "1" is subtracted.
+      In the sixth step, the remainder of the division between the result
+      from the fifth step and :term:`IMAGE_ROOTFS_ALIGNMENT` is subtracted from the
+      result of the fifth step. In this way, the result from the fourth step is
+      rounded up to the nearest multiple of :term:`IMAGE_ROOTFS_ALIGNMENT`.
+
+      Thus, if the :term:`IMAGE_ROOTFS_MAXSIZE` is set, is compared with the result
+      of the above calculations and is independent of the final image type.
+      No default value is set for :term:`IMAGE_ROOTFS_MAXSIZE`.
+
+      It's a good idea to set this variable for images that need to fit on a limited
+      space (e.g. SD card, a fixed-size partition, ...).
+
    :term:`IMAGE_ROOTFS_SIZE`
       Defines the size in Kbytes for the generated image. The OpenEmbedded
       build system determines the final size for the generated image using
@@ -3822,6 +3891,23 @@ system and gives an overview of their function and contents.
       Set the variable to "1" to prevent the default dependencies from
       being added.
 
+   :term:`INHIBIT_DEFAULT_RUST_DEPS`
+      Prevents the :ref:`ref-classes-rust` class from automatically adding
+      its default build-time dependencies.
+
+      When a recipe inherits the :ref:`ref-classes-rust` class, several
+      tools such as ``rust-native`` and ``${RUSTLIB_DEP}`` (only added when cross-compiling) are added
+      to :term:`DEPENDS` to support the ``rust`` build process.
+
+      To prevent the build system from adding these dependencies automatically,
+      set the :term:`INHIBIT_DEFAULT_RUST_DEPS` variable as follows::
+
+         INHIBIT_DEFAULT_RUST_DEPS = "1"
+
+      By default, the value of :term:`INHIBIT_DEFAULT_RUST_DEPS` is empty. Setting
+      it to "0" does not disable inhibition. Only the empty string will disable
+      inhibition.
+
    :term:`INHIBIT_PACKAGE_DEBUG_SPLIT`
       Prevents the OpenEmbedded build system from splitting out debug
       information during packaging. By default, the build system splits out
@@ -3869,6 +3955,25 @@ system and gives an overview of their function and contents.
          even if the toolchain's binaries are strippable, there are other files
          needed for the build that are not strippable.
 
+   :term:`INHIBIT_UPDATERCD_BBCLASS`
+      Prevents the :ref:`ref-classes-update-rc.d` class from automatically
+      installing and registering SysV init scripts for packages.
+
+      When a recipe inherits the :ref:`ref-classes-update-rc.d` class, init
+      scripts are typically installed and registered for the packages listed in
+      :term:`INITSCRIPT_PACKAGES`. This ensures that the relevant
+      services are started and stopped at the appropriate runlevels using the
+      traditional SysV init system.
+
+      To prevent the build system from adding these scripts and configurations
+      automatically, set the :term:`INHIBIT_UPDATERCD_BBCLASS` variable as follows::
+
+         INHIBIT_UPDATERCD_BBCLASS = "1"
+
+      By default, the value of :term:`INHIBIT_UPDATERCD_BBCLASS` is empty. Setting
+      it to "0" does not disable inhibition. Only the empty string will disable
+      inhibition.
+
    :term:`INIT_MANAGER`
       Specifies the system init manager to use. Available options are:
 
@@ -4010,6 +4115,20 @@ system and gives an overview of their function and contents.
       See the :term:`MACHINE` variable for additional
       information.
 
+   :term:`INITRAMFS_MAXSIZE`
+      Defines the maximum allowed size of the :term:`Initramfs` image in Kbytes.
+      The build will fail if the :term:`Initramfs` image size exceeds this value.
+
+      The :term:`Initramfs` image size undergoes several calculation steps before
+      being compared to :term:`INITRAMFS_MAXSIZE`.
+      These steps are the same as those used for :term:`IMAGE_ROOTFS_MAXSIZE`
+      and are described in detail in that entry.
+
+      Thus, :term:`INITRAMFS_MAXSIZE` is compared with the result of the calculations
+      and is independent of the final image type (e.g. compressed).
+      A default value for :term:`INITRAMFS_MAXSIZE` is set in
+      :oe_git:`meta/conf/bitbake.conf </openembedded-core/tree/meta/conf/bitbake.conf>`.
+
    :term:`INITRAMFS_MULTICONFIG`
       Defines the multiconfig to create a multiconfig dependency to be used by the :ref:`kernel <ref-classes-kernel>` class.
 
@@ -4161,8 +4280,7 @@ system and gives an overview of their function and contents.
       would place patch files and configuration fragment files (i.e.
       "out-of-tree"). However, if you want to use a ``defconfig`` file that
       is part of the kernel tree (i.e. "in-tree"), you can use the
-      :term:`KBUILD_DEFCONFIG` variable and append the
-      :term:`KMACHINE` variable to point to the
+      :term:`KBUILD_DEFCONFIG` variable to point to the
       ``defconfig`` file.
 
       To use the variable, set it in the append file for your kernel recipe
@@ -4197,15 +4315,8 @@ system and gives an overview of their function and contents.
       options not explicitly specified will be disabled in the kernel
       config.
 
-      In case :term:`KCONFIG_MODE` is not set the behaviour will depend on where
-      the ``defconfig`` file is coming from. An "in-tree" ``defconfig`` file
-      will be handled in ``alldefconfig`` mode, a ``defconfig`` file placed
-      in ``${WORKDIR}`` through a meta-layer will be handled in
-      ``allnoconfig`` mode.
-
-      An "in-tree" ``defconfig`` file can be selected via the
-      :term:`KBUILD_DEFCONFIG` variable. :term:`KCONFIG_MODE` does not need to
-      be explicitly set.
+      In case :term:`KCONFIG_MODE` is not set the ``defconfig`` file
+      will be handled in ``allnoconfig`` mode.
 
       A ``defconfig`` file compatible with ``allnoconfig`` mode can be
       generated by copying the ``.config`` file from a working Linux kernel
@@ -4498,6 +4609,27 @@ system and gives an overview of their function and contents.
       the :term:`KERNEL_PATH` variable. Both variables are common variables
       used by external Makefiles to point to the kernel source directory.
 
+   :term:`KERNEL_SPLIT_MODULES`
+      When inheriting the :ref:`ref-classes-kernel-module-split` class, this
+      variable controls whether kernel modules are split into separate packages
+      or bundled into a single package.
+
+      For some use cases, a monolithic kernel module package
+      :term:`KERNEL_PACKAGE_NAME` that contains all modules built from the
+      kernel sources may be preferred to speed up the installation.
+
+      By default, this variable is set to ``1``, resulting in one package per
+      module. Setting it to any other value will generate a single monolithic
+      package containing all kernel modules.
+
+      .. note::
+
+         If :term:`KERNEL_SPLIT_MODULES` is set to 0, it is still possible to
+         install all kernel modules at once by adding ``kernel-modules`` (assuming
+         :term:`KERNEL_PACKAGE_NAME` is ``kernel-modules``) to :term:`IMAGE_INSTALL`.
+         The way it works is that a placeholder "kernel-modules" package will be
+         created and will depend on every other individual kernel module packages.
+
    :term:`KERNEL_SRC`
       The location of the kernel sources. This variable is set to the value
       of the :term:`STAGING_KERNEL_DIR` within
@@ -4584,7 +4716,7 @@ system and gives an overview of their function and contents.
       information on how this variable is used.
 
    :term:`LAYERDEPENDS`
-      Lists the layers, separated by spaces, on which this recipe depends.
+      Lists the layers, separated by spaces, on which this layer depends.
       Optionally, you can specify a specific layer version for a dependency
       by adding it to the end of the layer name. Here is an example::
 
@@ -5441,8 +5573,8 @@ system and gives an overview of their function and contents.
 
       .. note::
 
-         An easy way to see what overrides apply is to search for :term:`OVERRIDES`
-         in the output of the ``bitbake -e`` command. See the
+         An easy way to see what overrides apply is to run the command
+         ``bitbake-getvar -r myrecipe OVERRIDES``. See the
          ":ref:`dev-manual/debugging:viewing variable values`" section in the Yocto
          Project Development Tasks Manual for more information.
 
@@ -6099,7 +6231,7 @@ system and gives an overview of their function and contents.
       For examples of how this data is used, see the
       ":ref:`overview-manual/concepts:automatically added runtime dependencies`"
       section in the Yocto Project Overview and Concepts Manual and the
-      ":ref:`dev-manual/debugging:viewing package information with \`\`oe-pkgdata-util\`\``"
+      ":ref:`dev-manual/debugging:viewing package information with ``oe-pkgdata-util```"
       section in the Yocto Project Development Tasks Manual. For more
       information on the shared, global-state directory, see
       :term:`STAGING_DIR_HOST`.
@@ -6718,6 +6850,16 @@ system and gives an overview of their function and contents.
    :term:`REPODIR`
       See :term:`bitbake:REPODIR` in the BitBake manual.
 
+   :term:`REQUIRED_COMBINED_FEATURES`
+      When inheriting the :ref:`ref-classes-features_check` class, this variable
+      identifies combined features (the intersection of :term:`MACHINE_FEATURES`
+      and :term:`DISTRO_FEATURES`) that must exist in the current configuration
+      in order for the :term:`OpenEmbedded Build System` to build the recipe. In
+      other words, if the :term:`REQUIRED_COMBINED_FEATURES` variable lists a
+      feature that does not appear in :term:`COMBINED_FEATURES` within the
+      current configuration, then the recipe will be skipped, and if the build
+      system attempts to build the recipe then an error will be triggered.
+
    :term:`REQUIRED_DISTRO_FEATURES`
       When inheriting the
       :ref:`features_check <ref-classes-features_check>`
@@ -6729,6 +6871,32 @@ system and gives an overview of their function and contents.
       the recipe will be skipped, and if the build system attempts to build
       the recipe then an error will be triggered.
 
+   :term:`REQUIRED_IMAGE_FEATURES`
+      When inheriting the :ref:`ref-classes-features_check` class, this variable
+      identifies image features that must exist in the current
+      configuration in order for the :term:`OpenEmbedded Build System` to build
+      the recipe. In other words, if the :term:`REQUIRED_IMAGE_FEATURES` variable
+      lists a feature that does not appear in :term:`IMAGE_FEATURES` within the
+      current configuration, then the recipe will be skipped, and if the build
+      system attempts to build the recipe then an error will be triggered.
+
+      Compared to other ``REQUIRED_*_FEATURES`` variables, the
+      :term:`REQUIRED_IMAGE_FEATURES` varible only targets image recipes, as the
+      :term:`IMAGE_FEATURES` variable is handled by the :ref:`ref-classes-core-image`
+      class). However, the :term:`REQUIRED_IMAGE_FEATURES` varible can also be
+      set from a :term:`Configuration File`, such as a distro
+      configuration file, if the list of required image features should apply to
+      all images using this :term:`DISTRO`.
+
+   :term:`REQUIRED_MACHINE_FEATURES`
+      When inheriting the :ref:`ref-classes-features_check` class, this variable
+      identifies :term:`MACHINE_FEATURES` that must exist in the current
+      configuration in order for the :term:`OpenEmbedded Build System` to build
+      the recipe. In other words, if the :term:`REQUIRED_MACHINE_FEATURES` variable
+      lists a feature that does not appear in :term:`MACHINE_FEATURES` within the
+      current configuration, then the recipe will be skipped, and if the build
+      system attempts to build the recipe then an error will be triggered.
+
    :term:`REQUIRED_VERSION`
       If there are multiple versions of a recipe available, this variable
       determines which version should be given preference.
@@ -7697,6 +7865,11 @@ system and gives an overview of their function and contents.
       section in the Yocto Project Board Support Package Developer's Guide
       for additional information.
 
+   :term:`SPL_DTB_BINARY`
+      When inheriting the :ref:`ref-classes-uboot-sign` class, the
+      :term:`SPL_DTB_BINARY` variable contains the name of the SPL binary to be
+      compiled.
+
    :term:`SPL_MKIMAGE_DTCOPTS`
       Options for the device tree compiler passed to ``mkimage -D`` feature
       while creating a FIT image with the :ref:`ref-classes-uboot-sign`
@@ -7717,7 +7890,7 @@ system and gives an overview of their function and contents.
       class.
 
    :term:`SPL_SIGN_KEYNAME`
-      The name of keys used by the :ref:`ref-classes-kernel-fitimage` class
+      The name of keys used by the :ref:`ref-classes-uboot-sign` class
       for signing U-Boot FIT image stored in the :term:`SPL_SIGN_KEYDIR`
       directory. If we have for example a ``dev.key`` key and a ``dev.crt``
       certificate stored in the :term:`SPL_SIGN_KEYDIR` directory, you will
@@ -7978,7 +8151,7 @@ system and gives an overview of their function and contents.
       The Yocto Project actually shares the cache data objects built by its
       autobuilder::
 
-         SSTATE_MIRRORS ?= "file://.* http://cdn.jsdelivr.net/yocto/sstate/all/PATH;downloadfilename=PATH"
+         SSTATE_MIRRORS ?= "file://.* http://sstate.yoctoproject.org/all/PATH;downloadfilename=PATH"
 
       As such binary artifacts are built for the generic QEMU machines
       supported by the various Poky releases, they are less likely to be
@@ -8004,6 +8177,26 @@ system and gives an overview of their function and contents.
       For details on the process, see the
       :ref:`staging <ref-classes-staging>` class.
 
+   :term:`SSTATE_SKIP_CREATION`
+      The :term:`SSTATE_SKIP_CREATION` variable can be used to skip the
+      creation of :ref:`shared state <overview-manual/concepts:shared state cache>`
+      tarball files. It makes sense e.g. for image creation tasks as tarring images
+      and keeping them in sstate would consume a lot of disk space.
+
+      In general it is not recommended to use this variable as missing sstate
+      artefacts adversely impact the build, particularly for entries in the
+      middle of dependency chains. The case it can make sense is where the
+      size and time costs of the artefact are similar to just running the
+      tasks. This generally only applies to end artefact output like images.
+
+      The syntax to disable it for one task is::
+
+         SSTATE_SKIP_CREATION:task-image-complete = "1"
+
+      The syntax to disable it for the whole recipe is::
+
+         SSTATE_SKIP_CREATION = "1"
+
    :term:`STAGING_BASE_LIBDIR_NATIVE`
       Specifies the path to the ``/lib`` subdirectory of the sysroot
       directory for the build host.
@@ -8045,7 +8238,7 @@ system and gives an overview of their function and contents.
       directory for the build host.
 
    :term:`STAGING_DIR`
-      Helps construct the ``recipe-sysroots`` directory, which is used
+      Helps construct the ``recipe-sysroot*`` directories, which are used
       during packaging.
 
       For information on how staging for recipe-specific sysroots occurs,
@@ -8909,7 +9102,7 @@ system and gives an overview of their function and contents.
       :doc:`/sdk-manual/index` manual.
 
       Note that this variable applies to building an SDK, not an eSDK,
-      in which case the term:`TOOLCHAIN_HOST_TASK_ESDK` setting should be
+      in which case the :term:`TOOLCHAIN_HOST_TASK_ESDK` setting should be
       used instead.
 
    :term:`TOOLCHAIN_HOST_TASK_ESDK`
@@ -9293,6 +9486,22 @@ system and gives an overview of their function and contents.
       passes and uses "all" for the target during the U-Boot building
       process.
 
+   :term:`UNINATIVE_CHECKSUM`
+      When inheriting the :ref:`ref-classes-uninative` class, the
+      :term:`UNINATIVE_CHECKSUM` variable flags contain the checksums of the
+      uninative tarball as specified by the :term:`UNINATIVE_URL` variable.
+      There should be one checksum per tarballs published at
+      :term:`UNINATIVE_URL`, which match architectures. For example::
+
+         UNINATIVE_CHECKSUM[aarch64] ?= "812045d826b7fda88944055e8526b95a5a9440bfef608d5b53fd52faab49bf85"
+         UNINATIVE_CHECKSUM[i686] ?= "5cc28efd0c15a75de4bcb147c6cce65f1c1c9d442173a220f08427f40a3ffa09"
+         UNINATIVE_CHECKSUM[x86_64] ?= "4c03d1ed2b7b4e823aca4a1a23d8f2e322f1770fc10e859adcede5777aff4f3a"
+
+   :term:`UNINATIVE_URL`
+      When inheriting the :ref:`ref-classes-uninative` class, the
+      :term:`UNINATIVE_URL` variable contains the URL where the uninative
+      tarballs are published.
+
    :term:`UNKNOWN_CONFIGURE_OPT_IGNORE`
       Specifies a list of options that, if reported by the configure script
       as being invalid, should not generate a warning during the
@@ -9388,6 +9597,18 @@ system and gives an overview of their function and contents.
       the Yocto Project Development Tasks Manual for information on how to
       use this variable.
 
+   :term:`USE_NLS`
+      Determine if language translations should be built for recipes that can
+      build them. This variable can be equal to:
+
+      -  ``yes``: translations are enabled.
+      -  ``no``: translation are disabled.
+
+      Recipes can use the value of this variable to enable language
+      translations in their build. Classes such as :ref:`ref-classes-gettext`
+      use the value of this variable to enable :wikipedia:`Gettext <Gettext>`
+      support.
+
    :term:`USE_VT`
       When using
       :ref:`SysVinit <dev-manual/new-recipe:enabling system services>`,
@@ -9579,6 +9800,20 @@ system and gives an overview of their function and contents.
       can control with this variable, see the
       ":ref:`ref-classes-insane`" section.
 
+   :term:`WIC_CREATE_EXTRA_ARGS`
+      If the :term:`IMAGE_FSTYPES` variable contains "wic", the build
+      will generate a
+      :ref:`Wic image <dev-manual/wic:creating partitioned images using wic>`
+      automatically when BitBake builds an image recipe. As part of
+      this process BitBake will invoke the "`wic create`" command. The
+      :term:`WIC_CREATE_EXTRA_ARGS` variable is placed at the end of this
+      command which allows the user to supply additional arguments.
+
+      One such useful purpose for this mechanism is to add the ``-D`` (or
+      ``--debug``) argument to the "`wic create`" command. This increases the
+      amount of debugging information written out to the Wic log during the
+      Wic creation process.
+
    :term:`WKS_FILE`
       Specifies the location of the Wic kickstart file that is used by the
       OpenEmbedded build system to create a partitioned image

documentation/sdk-manual/working-projects.rst

@@ -56,9 +56,10 @@ project:
 
          #include <stdio.h>
 
-         main()
+         int main()
              {
                  printf("Hello World!\n");
+                 return 0;
              }
 
    -  ``configure.ac``::

documentation/security-reference/index.rst

@@ -0,0 +1,14 @@
+.. SPDX-License-Identifier: CC-BY-SA-2.0-UK
+
+================================
+Yocto Project Security Reference
+================================
+
+.. toctree::
+   :caption: Table of Contents
+   :numbered:
+
+   security-team
+   reporting-vulnerabilities
+
+.. include:: /boilerplate.rst

documentation/security-reference/reporting-vulnerabilities.rst

@@ -0,0 +1,85 @@
+.. SPDX-License-Identifier: CC-BY-SA-2.0-UK
+
+Reporting Vulnerabilities
+*************************
+
+The Yocto Project and OpenEmbedded are open-source, community-based projects
+used in numerous products. They assemble multiple other open-source projects,
+and need to handle security issues and practices both internal (in the code
+maintained by both projects), and external (maintained by other projects and
+organizations).
+
+This manual assembles security-related information concerning the whole
+ecosystem. It includes information on reporting a potential security issue,
+the operation of the YP Security team and how to contribute in the
+related code. It is written to be useful for both security researchers and
+YP developers.
+
+How to report a potential security vulnerability?
+=================================================
+
+If you would like to report a public issue (for example, one with a released
+CVE number), please report it using the
+:yocto_bugs:`Security Bugzilla </enter_bug.cgi?product=Security>`.
+
+If you are dealing with a not-yet-released issue, or an urgent one, please send
+a message to security AT yoctoproject DOT org, including as many details as
+possible: the layer or software module affected, the recipe and its version,
+and any example code, if available. This mailing list is monitored by the
+Yocto Project Security team.
+
+For each layer, you might also look for specific instructions (if any) for
+reporting potential security issues in the specific ``SECURITY.md`` file at the
+root of the repository. Instructions on how and where submit a patch are
+usually available in ``README.md``. If this is your first patch to the
+Yocto Project/OpenEmbedded, you might want to have a look into the
+Contributor's Manual section
+":ref:`contributor-guide/submit-changes:preparing changes for submission`".
+
+Branches maintained with security fixes
+---------------------------------------
+
+See the
+:ref:`Release process <ref-manual/release-process:Stable Release Process>`
+documentation for details regarding the policies and maintenance of stable
+branches.
+
+The :yocto_home:`Releases </development/releases/>` page contains a list of all
+releases of the Yocto Project, grouped into current and previous releases.
+Previous releases are no longer actively maintained with security patches, but
+well-tested patches may still be accepted for them for significant issues.
+
+Security-related discussions at the Yocto Project
+-------------------------------------------------
+
+We have set up two security-related emails/mailing lists:
+
+  -  Public Mailing List: yocto [dash] security [at] yoctoproject[dot] org
+
+     This is a public mailing list for anyone to subscribe to. This list is an
+     open list to discuss public security issues/patches and security-related
+     initiatives. For more information, including subscription information,
+     please see the  :yocto_lists:`yocto-security mailing list info page
+     </g/yocto-security>`.
+
+     This list requires moderator approval for new topics to be posted, to avoid
+     private security reports to be posted by mistake.
+
+  -  Yocto Project Security Team: security [at] yoctoproject [dot] org
+
+     This is an email for reporting non-published potential vulnerabilities.
+     Emails sent to this address are forwarded to the Yocto Project Security
+     Team members.
+
+
+What you should do if you find a security vulnerability
+-------------------------------------------------------
+
+If you find a security flaw: a crash, an information leakage, or anything that
+can have a security impact if exploited in any Open Source software built or
+used by the Yocto Project, please report this to the Yocto Project Security
+Team. If you prefer to contact the upstream project directly, please send a
+copy to the security team at the Yocto Project as well. If you believe this is
+highly sensitive information, please report the vulnerability in a secure way,
+i.e. encrypt the email and send it to the private list. This ensures that
+the exploit is not leaked and exploited before a response/fix has been generated.

documentation/security-reference/security-team.rst

@@ -0,0 +1,110 @@
+.. SPDX-License-Identifier: CC-BY-SA-2.0-UK
+
+Security team
+*************
+
+The Yocto Project/OpenEmbedded security team coordinates the work on security
+subjects in the project. All general discussion takes place publicly. The
+Security Team only uses confidential communication tools to deal with private
+vulnerability reports before they are released.
+
+Security team appointment
+=========================
+
+The Yocto Project Security Team consists of at least three members. When new
+members are needed, the Yocto Project Technical Steering Committee (YP TSC)
+asks for nominations by public channels including a nomination deadline.
+Self-nominations are possible. When the limit time is
+reached, the YP TSC posts the list of candidates for the comments of project
+participants and developers. Comments may be sent publicly or privately to the
+YP and OE TSCs. The candidates are approved by both YP TSC and OpenEmbedded
+Technical Steering Committee (OE TSC) and the final list of the team members
+is announced publicly. The aim is to have people representing technical
+leadership, security knowledge and infrastructure present with enough people
+to provide backup/coverage but keep the notification list small enough to
+minimize information risk and maintain trust.
+
+YP Security Team members may resign at any time.
+
+Security Team Operations
+========================
+
+The work of the Security Team might require high confidentiality. Team members
+are individuals selected by merit and do not represent the companies they work
+for. They do not share information about confidential issues outside of the team
+and do not hint about ongoing embargoes.
+
+Team members can bring in domain experts as needed. Those people should be
+added to individual issues only and adhere to the same standards as the YP
+Security Team.
+
+The YP security team organizes its meetings and communication as needed.
+
+When the YP Security team receives a report about a potential security
+vulnerability, they quickly analyze and notify the reporter of the result.
+They might also request more information.
+
+If the issue is confirmed and affects the code maintained by the YP, they
+confidentially notify maintainers of that code and work with them to prepare
+a fix.
+
+If the issue is confirmed and affects an upstream project, the YP security team
+notifies the project. Usually, the upstream project analyzes the problem again.
+If they deem it a real security problem in their software, they develop and
+release a fix following their security policy. They may want to include the
+original reporter in the loop. There is also sometimes some coordination for
+handling patches, backporting patches etc, or just understanding the problem
+or what caused it.
+
+When the fix is publicly available, the YP security team member or the
+package maintainer sends patches against the YP code base, following usual
+procedures, including public code review.
+
+What Yocto Security Team does when it receives a security vulnerability
+=======================================================================
+
+The YP Security Team team performs a quick analysis and would usually report
+the flaw to the upstream project. Normally the upstream project analyzes the
+problem. If they deem it a real security problem in their software, they
+develop and release a fix following their own security policy. They may want
+to include the original reporter in the loop. There is also sometimes some
+coordination for handling patches, backporting patches etc, or just
+understanding the problem or what caused it.
+
+The security policy of the upstream project might include a notification to
+Linux distributions or other important downstream projects in advance to
+discuss coordinated disclosure. These mailing lists are normally non-public.
+
+When the upstream project releases a version with the fix, they are responsible
+for contacting `Mitre <https://www.cve.org/>`__ to get a CVE number assigned and
+the CVE record published.
+
+If an upstream project does not respond quickly
+===============================================
+
+If an upstream project does not fix the problem in a reasonable time,
+the Yocto's Security Team will contact other interested parties (usually
+other distributions) in the community and together try to solve the
+vulnerability as quickly as possible.
+
+The Yocto Project Security team adheres to the 90 days disclosure policy
+by default. An increase of the embargo time is possible when necessary.
+
+Security Team Members
+=====================
+
+For secure communications, please send your messages encrypted using the GPG
+keys. Remember, message headers are not encrypted so do not include sensitive
+information in the subject line.
+
+-  Ross Burton: <ross [at] burtonini [dot] com> `Public key <https://keys.openpgp.org/search?q=ross%40burtonini.com>`__
+
+-  Michael Halstead: <mhalstead [at] linuxfoundation [dot] org>
+   `Public key <https://pgp.mit.edu/pks/lookup?op=vindex&search=0x3373170601861969>`__
+   or `Public key <https://keyserver.ubuntu.com/pks/lookup?op=get&search=0xd1f2407285e571ed12a407a73373170601861969>`__
+
+-  Richard Purdie: <richard.purdie [at] linuxfoundation [dot] org> `Public key <https://keys.openpgp.org/search?q=richard.purdie%40linuxfoundation.org>`__
+
+-  Marta Rybczynska: <marta DOT rybczynska [at] syslinbit [dot] com> `Public key <https://keys.openpgp.org/search?q=marta.rybczynska@syslinbit.com>`__
+
+-  Steve Sakoman: <steve [at] sakoman [dot] com> `Public key <https://keys.openpgp.org/search?q=steve%40sakoman.com>`__

documentation/test-manual/intro.rst

@@ -51,13 +51,11 @@ fashion. Basically, during the development of a Yocto Project release,
 the Autobuilder tests if things work. The Autobuilder builds all test
 targets and runs all the tests.
 
-The Yocto Project uses now uses standard upstream
-Buildbot (`version 3.8 <https://docs.buildbot.net/3.8.0/>`__) to
-drive its integration and testing. Buildbot has a plug-in interface
-that the Yocto Project customizes using code from the
-``yocto-autobuilder2`` repository, adding its own console UI plugin. The
-resulting UI plug-in allows you to visualize builds in a way suited to
-the project's needs.
+The Yocto Project uses standard upstream Buildbot to drive its integration and
+testing. Buildbot has a plug-in interface that the Yocto Project customizes
+using code from the :yocto_git:`yocto-autobuilder2 </yocto-autobuilder2>`
+repository, adding its own console UI plugin. The resulting UI plug-in allows
+you to visualize builds in a way suited to the project's needs.
 
 A ``helper`` layer provides configuration and job management through
 scripts found in the ``yocto-autobuilder-helper`` repository. The

documentation/test-manual/ptest.rst

@@ -70,6 +70,25 @@ test. Here is what you have to do for each recipe:
       cd test
       make -k runtest-TESTS
 
+-  *Return an appropriate exit code*: The ``run-ptest`` script must return 0 on
+   success, 1 on failure. This is needed by ``ptest-runner`` to keep track of
+   the successful and failed tests.
+
+-  *Make sure the test prints at least one test result*: The execution of the
+   ``run-ptest`` script must result in at least one test result output on the
+   console, with the following format::
+
+      result: testname
+
+   Where ``result`` can be one of ``PASS``, ``SKIP``, or ``FAIL``. ``testname``
+   can be any name.
+
+   There can be as many test results as desired.
+
+   This information is read by the :ref:`ref-classes-testimage` class and
+   :oe_git:`logparser </openembedded-core/tree/meta/lib/oeqa/utils/logparser.py>`
+   module.
+
 -  *Ensure dependencies are met:* If the test adds build or runtime
    dependencies that normally do not exist for the package (such as
    requiring "make" to run the test suite), use the

documentation/test-manual/reproducible-builds.rst

@@ -113,7 +113,7 @@ If ``OEQA_DEBUGGING_SAVED_OUTPUT`` is set, any differing packages will be saved
 here. The test is also able to run the ``diffoscope`` command on the output to
 generate HTML files showing the differences between the packages, to aid
 debugging. On the Autobuilder, these appear under
-https://autobuilder.yocto.io/pub/repro-fail/ in the form ``oe-reproducible +
+https://valkyrie.yocto.io/pub/repro-fail/ in the form ``oe-reproducible +
 <date> + <random ID>``, e.g. ``oe-reproducible-20200202-1lm8o1th``.
 
 The project's current reproducibility status can be seen at

documentation/test-manual/test-process.rst

@@ -69,7 +69,7 @@ box to "generate an email to QA" is also checked.
 When the build completes, an email is sent out using the ``send-qa-email``
 script in the :yocto_git:`yocto-autobuilder-helper </yocto-autobuilder-helper>`
 repository to the list of people configured for that release. Release builds
-are placed into a directory in https://autobuilder.yocto.io/pub/releases on the
+are placed into a directory in https://valkyrie.yocto.io/pub/releases on the
 Autobuilder which is included in the email. The process from here is
 more manual and control is effectively passed to release engineering.
 The next steps include:

documentation/test-manual/yocto-project-compatible.rst

@@ -38,7 +38,7 @@ Benefits
 and flexible: it gives users the ultimate power to change pretty much any
 aspect of the system but as with most things, power comes with responsibility.
 The Yocto Project would like to see people able to mix and match BSPs with
-distro configs or software stacks and be able to merge succesfully.
+distro configs or software stacks and be able to merge successfully.
 Over time, the project identified characteristics in layers that allow them
 to operate well together. "anti-patterns" were also found, preventing layers
 from working well together.

documentation/toaster-manual/reference.rst

@@ -548,7 +548,7 @@ database.
 
 You need to run the ``buildslist`` command first to identify existing
 builds in the database before using the
-:ref:`toaster-manual/reference:\`\`builddelete\`\`` command. Here is an
+:ref:`toaster-manual/reference:``builddelete``` command. Here is an
 example that assumes default repository and build directory names:
 
 .. code-block:: shell
@@ -557,7 +557,7 @@ example that assumes default repository and build directory names:
    $ python ../bitbake/lib/toaster/manage.py buildslist
 
 If your Toaster database had only one build, the above
-:ref:`toaster-manual/reference:\`\`buildslist\`\``
+:ref:`toaster-manual/reference:``buildslist```
 command would return something like the following::
 
    1: qemux86 poky core-image-minimal
@@ -578,7 +578,7 @@ the database.
 
 Prior to running the ``builddelete`` command, you need to get the ID
 associated with builds by using the
-:ref:`toaster-manual/reference:\`\`buildslist\`\`` command.
+:ref:`toaster-manual/reference:``buildslist``` command.
 
 ``perf``
 --------

meta-poky/conf/distro/poky.conf

@@ -1,7 +1,7 @@
 DISTRO = "poky"
 DISTRO_NAME = "Poky (Yocto Project Reference Distro)"
 #DISTRO_VERSION = "3.4+snapshot-${METADATA_REVISION}"
-DISTRO_VERSION = "4.0.27"
+DISTRO_VERSION = "4.0.33"
 DISTRO_CODENAME = "kirkstone"
 SDK_VENDOR = "-pokysdk"
 SDK_VERSION = "${@d.getVar('DISTRO_VERSION').replace('snapshot-${METADATA_REVISION}', 'snapshot')}"

meta-selftest/files/static-group

@@ -25,3 +25,4 @@ weston:x:525:
 wayland:x:526:
 render:x:527:
 sgx:x:528:
+audio:x:529:

meta/classes/cross.bbclass

@@ -95,3 +95,39 @@ addtask addto_recipe_sysroot after do_populate_sysroot
 do_addto_recipe_sysroot[deptask] = "do_populate_sysroot"
 
 PATH:prepend = "${COREBASE}/scripts/cross-intercept:"
+
+#
+# Cross task outputs can call native dependencies and even when cross
+# recipe output doesn't change it might produce different results when
+# the called native dependency is changed, e.g. clang-cross-${TARGET_ARCH}
+# contains symlink to clang binary from clang-native, but when clang-native
+# outhash is changed, clang-cross-${TARGET_ARCH} will still be considered
+# equivalent and target recipes aren't rebuilt with new clang binary, see
+# work around in https://github.com/kraj/meta-clang/pull/1140 to make target
+# recipes to depend directly not only on clang-cross-${TARGET_ARCH} but
+# clang-native as well.
+#
+# This can cause poor interactions with hash equivalence, since this recipes
+# output-changing dependency is "hidden" and downstream task only see that this
+# recipe has the same outhash and therefore is equivalent. This can result in
+# different output in different cases.
+#
+# To resolve this, unhide the output-changing dependency by adding its unihash
+# to this tasks outhash calculation. Unfortunately, don't know specifically
+# know which dependencies are output-changing, so we have to add all of them.
+#
+python cross_add_do_populate_sysroot_deps () {
+    current_task = "do_" + d.getVar("BB_CURRENTTASK")
+    if current_task != "do_populate_sysroot":
+        return
+
+    taskdepdata = d.getVar("BB_TASKDEPDATA", False)
+    pn = d.getVar("PN")
+    deps = {
+        dep[0]:dep[6] for dep in taskdepdata.values() if
+            dep[1] == current_task and dep[0] != pn
+    }
+
+    d.setVar("HASHEQUIV_EXTRA_SIGDATA", "\n".join("%s: %s" % (k, deps[k]) for k in sorted(deps.keys())))
+}
+SSTATECREATEFUNCS += "cross_add_do_populate_sysroot_deps"

meta/classes/goarch.bbclass

@@ -18,6 +18,9 @@ TARGET_GOMIPS = "${@go_map_mips(d.getVar('TARGET_ARCH'), d.getVar('TUNE_FEATURES
 TARGET_GOARM:class-native = "7"
 TARGET_GO386:class-native = "sse2"
 TARGET_GOMIPS:class-native = "hardfloat"
+TARGET_GOARM:class-crosssdk = "7"
+TARGET_GO386:class-crosssdk = "sse2"
+TARGET_GOMIPS:class-crosssdk = "hardfloat"
 TARGET_GOTUPLE = "${TARGET_GOOS}_${TARGET_GOARCH}"
 GO_BUILD_BINDIR = "${@['bin/${HOST_GOTUPLE}','bin'][d.getVar('BUILD_GOTUPLE') == d.getVar('HOST_GOTUPLE')]}"
 

meta/classes/insane.bbclass

@@ -1182,24 +1182,27 @@ python do_qa_patch() {
             msg += "    devtool modify %s\n" % d.getVar('PN')
             msg += "    devtool finish --force-patch-refresh %s <layer_path>\n\n" % d.getVar('PN')
             msg += "Don't forget to review changes done by devtool!\n"
-            if bb.utils.filter('ERROR_QA', 'patch-fuzz', d):
-                bb.error(msg)
-            elif bb.utils.filter('WARN_QA', 'patch-fuzz', d):
-                bb.warn(msg)
-            msg = "Patch log indicates that patches do not apply cleanly."
+            msg += "\nPatch log indicates that patches do not apply cleanly."
             oe.qa.handle_error("patch-fuzz", msg, d)
 
     # Check if the patch contains a correctly formatted and spelled Upstream-Status
     import re
     from oe import patch
 
+    allpatches = False
+    if bb.utils.filter('ERROR_QA', 'patch-status-noncore', d) or bb.utils.filter('WARN_QA', 'patch-status-noncore', d):
+        allpatches = True
+
     coremeta_path = os.path.join(d.getVar('COREBASE'), 'meta', '')
     for url in patch.src_patches(d):
        (_, _, fullpath, _, _, _) = bb.fetch.decodeurl(url)
 
        # skip patches not in oe-core
+       patchtype = "patch-status-core"
        if not os.path.abspath(fullpath).startswith(coremeta_path):
-           continue
+           patchtype = "patch-status-noncore"
+           if not allpatches:
+               continue
 
        kinda_status_re = re.compile(r"^.*upstream.*status.*$", re.IGNORECASE | re.MULTILINE)
        strict_status_re = re.compile(r"^Upstream-Status: (Pending|Submitted|Denied|Accepted|Inappropriate|Backport|Inactive-Upstream)( .+)?$", re.MULTILINE)
@@ -1212,9 +1215,13 @@ python do_qa_patch() {
 
            if not match_strict:
                if match_kinda:
-                   bb.error("Malformed Upstream-Status in patch\n%s\nPlease correct according to %s :\n%s" % (fullpath, guidelines, match_kinda.group(0)))
+                   msg = "Malformed Upstream-Status in patch\n%s\nPlease correct according to %s :\n%s" % (fullpath, guidelines, match_kinda.group(0))
+                   oe.qa.handle_error(patchtype, msg, d)
                else:
-                   bb.error("Missing Upstream-Status in patch\n%s\nPlease add according to %s ." % (fullpath, guidelines))
+                   msg = "Missing Upstream-Status in patch\n%s\nPlease add according to %s ." % (fullpath, guidelines)
+                   oe.qa.handle_error(patchtype, msg, d)
+
+    oe.qa.exit_if_errors(d)
 }
 
 python do_qa_configure() {
@@ -1331,6 +1338,7 @@ python do_qa_unpack() {
         bb.warn('%s: the directory %s (%s) pointed to by the S variable doesn\'t exist - please set S within the recipe to point to where the source has been unpacked to' % (d.getVar('PN'), d.getVar('S', False), s_dir))
 
     unpack_check_src_uri(d.getVar('PN'), d)
+    oe.qa.exit_if_errors(d)
 }
 
 # The Staging Func, to check all staging

meta/classes/kernel.bbclass

@@ -706,9 +706,10 @@ RDEPENDS:${KERNEL_PACKAGE_NAME} = "${KERNEL_PACKAGE_NAME}-base (= ${EXTENDPKGV})
 # not wanted in images as standard
 RRECOMMENDS:${KERNEL_PACKAGE_NAME}-base ?= "${KERNEL_PACKAGE_NAME}-image (= ${EXTENDPKGV})"
 PKG:${KERNEL_PACKAGE_NAME}-image = "${KERNEL_PACKAGE_NAME}-image-${@legitimize_package_name(d.getVar('KERNEL_VERSION'))}"
+RPROVIDES:${KERNEL_PACKAGE_NAME}-image += "${KERNEL_PACKAGE_NAME}-image"
 RDEPENDS:${KERNEL_PACKAGE_NAME}-image += "${@oe.utils.conditional('KERNEL_IMAGETYPE', 'vmlinux', '${KERNEL_PACKAGE_NAME}-vmlinux (= ${EXTENDPKGV})', '', d)}"
 PKG:${KERNEL_PACKAGE_NAME}-base = "${KERNEL_PACKAGE_NAME}-${@legitimize_package_name(d.getVar('KERNEL_VERSION'))}"
-RPROVIDES:${KERNEL_PACKAGE_NAME}-base += "${KERNEL_PACKAGE_NAME}-${KERNEL_VERSION}"
+RPROVIDES:${KERNEL_PACKAGE_NAME}-base += "${KERNEL_PACKAGE_NAME}-${KERNEL_VERSION} ${KERNEL_PACKAGE_NAME}-base"
 ALLOW_EMPTY:${KERNEL_PACKAGE_NAME} = "1"
 ALLOW_EMPTY:${KERNEL_PACKAGE_NAME}-base = "1"
 ALLOW_EMPTY:${KERNEL_PACKAGE_NAME}-image = "1"

meta/conf/bitbake.conf

@@ -690,7 +690,7 @@ DEBIAN_MIRROR = "http://ftp.debian.org/debian/pool"
 GENTOO_MIRROR = "http://distfiles.gentoo.org/distfiles"
 GNOME_GIT = "git://gitlab.gnome.org/GNOME"
 GNOME_MIRROR = "https://download.gnome.org/sources/"
-GNU_MIRROR = "https://ftp.gnu.org/gnu"
+GNU_MIRROR = "https://ftpmirror.gnu.org/gnu"
 GNUPG_MIRROR = "https://www.gnupg.org/ftp/gcrypt"
 GPE_MIRROR = "http://gpe.linuxtogo.org/download/source"
 KERNELORG_MIRROR = "https://cdn.kernel.org/pub"

meta/conf/distro/include/default-distrovars.inc

@@ -52,4 +52,4 @@ KERNEL_IMAGETYPES ??= "${KERNEL_IMAGETYPE}"
 # fetch from the network (and warn you if not). To disable the test set
 # the variable to be empty.
 # Git example url: git://git.yoctoproject.org/yocto-firewall-test;protocol=git;rev=master;branch=master
-CONNECTIVITY_CHECK_URIS ?= "https://yoctoproject.org/connectivity.html"
+CONNECTIVITY_CHECK_URIS ?= "https://www.yoctoproject.org/connectivity.html"

meta/conf/distro/include/ptest-packagelists.inc

@@ -29,7 +29,6 @@ PTESTS_FAST = "\
     libnl-ptest \
     libmodule-build-perl-ptest \
     libpcre-ptest \
-    libpng-ptest \
     libssh2-ptest \
     libtimedate-perl-ptest \
     libtest-needs-perl-ptest \
@@ -88,6 +87,7 @@ PTESTS_SLOW = "\
     glib-2.0-ptest \
     gstreamer1.0-ptest \
     libevent-ptest \
+    libpng-ptest \
     lttng-tools-ptest \
     openssh-ptest \
     openssl-ptest \

meta/lib/oeqa/core/decorator/data.py

@@ -194,3 +194,27 @@ class skipIfQemu(OETestDecorator):
         self.logger.debug("Checking if qemu MACHINE")
         if self.case.td.get('MACHINE', '').startswith('qemu'):
              self.case.skipTest('Test only runs on real hardware')
+
+@registerDecorator
+class skipIfArch(OETestDecorator):
+    """
+    Skip test if HOST_ARCH is present in the tuple specified.
+    """
+
+    attrs = ('archs',)
+    def setUpDecorator(self):
+        arch = self.case.td['HOST_ARCH']
+        if arch in self.archs:
+             self.case.skipTest('Test skipped on %s' % arch)
+
+@registerDecorator
+class skipIfNotArch(OETestDecorator):
+    """
+    Skip test if HOST_ARCH is not present in the tuple specified.
+    """
+
+    attrs = ('archs',)
+    def setUpDecorator(self):
+        arch = self.case.td['HOST_ARCH']
+        if arch not in self.archs:
+             self.case.skipTest('Test skipped on %s' % arch)

meta/lib/oeqa/runtime/cases/buildcpio.py

@@ -12,7 +12,7 @@ class BuildCpioTest(OERuntimeTestCase):
 
     @classmethod
     def setUpClass(cls):
-        uri = 'https://downloads.yoctoproject.org/mirror/sources/cpio-2.13.tar.gz'
+        uri = 'https://downloads.yoctoproject.org/mirror/sources/cpio-2.14.tar.gz'
         cls.project = TargetBuildProject(cls.tc.target,
                                          uri,
                                          dl_dir = cls.tc.td['DL_DIR'])

meta/lib/oeqa/sdk/buildtools-cases/https.py

@@ -13,8 +13,8 @@ class HTTPTests(OESDKTestCase):
     """
 
     def test_wget(self):
-        self._run('env -i wget --debug --output-document /dev/null https://yoctoproject.org/connectivity.html')
+        self._run('env -i wget --debug --output-document /dev/null https://www.yoctoproject.org/connectivity.html')
 
     def test_python(self):
         # urlopen() returns a file-like object on success and throws an exception otherwise
-        self._run('python3 -c \'import urllib.request; urllib.request.urlopen("https://yoctoproject.org/connectivity.html")\'')
+        self._run('python3 -c \'import urllib.request; urllib.request.urlopen("https://www.yoctoproject.org/connectivity.html")\'')

meta/lib/oeqa/sdk/cases/buildcpio.py

@@ -17,10 +17,10 @@ class BuildCpioTest(OESDKTestCase):
     """
     def test_cpio(self):
         with tempfile.TemporaryDirectory(prefix="cpio-", dir=self.tc.sdk_dir) as testdir:
-            tarball = self.fetch(testdir, self.td["DL_DIR"], "https://ftp.gnu.org/gnu/cpio/cpio-2.13.tar.gz")
+            tarball = self.fetch(testdir, self.td["DL_DIR"], "https://ftpmirror.gnu.org/gnu/cpio/cpio-2.14.tar.gz")
 
             dirs = {}
-            dirs["source"] = os.path.join(testdir, "cpio-2.13")
+            dirs["source"] = os.path.join(testdir, "cpio-2.14")
             dirs["build"] = os.path.join(testdir, "build")
             dirs["install"] = os.path.join(testdir, "install")
 

meta/lib/oeqa/selftest/cases/meta_ide.py

@@ -40,7 +40,7 @@ class MetaIDE(OESelftestTestCase):
     def test_meta_ide_can_build_cpio_project(self):
         dl_dir = self.td.get('DL_DIR', None)
         self.project = SDKBuildProject(self.tmpdir_metaideQA + "/cpio/", self.environment_script_path,
-                        "https://ftp.gnu.org/gnu/cpio/cpio-2.13.tar.gz",
+                        "https://ftpmirror.gnu.org/gnu/cpio/cpio-2.14.tar.gz",
                         self.tmpdir_metaideQA, self.td['DATETIME'], dl_dir=dl_dir)
         self.project.download_archive()
         self.assertEqual(self.project.run_configure('$CONFIGURE_FLAGS --disable-maintainer-mode','sed -i -e "/char \*program_name/d" src/global.c;'), 0,

meta/recipes-bsp/efibootmgr/efibootmgr_17.bb

@@ -10,7 +10,7 @@ DEPENDS = "efivar popt"
 
 COMPATIBLE_HOST = "(i.86|x86_64|arm|aarch64).*-linux"
 
-SRC_URI = "git://github.com/rhinstaller/efibootmgr.git;protocol=https;branch=master \
+SRC_URI = "git://github.com/rhinstaller/efibootmgr.git;protocol=https;branch=main \
            file://0001-remove-extra-decl.patch \
            file://97668ae0bce776a36ea2001dea63d376be8274ac.patch \
            file://0001-src-make-compatible-with-efivar-38.patch \

meta/recipes-bsp/grub/files/CVE-2024-56738.patch

@@ -0,0 +1,75 @@
+From 4cef2fc7308b2132317ad166939994f098b41561 Mon Sep 17 00:00:00 2001
+From: Ross Burton <ross.burton@arm.com>
+Date: Tue, 9 Sep 2025 14:23:14 +0100
+Subject: [PATCH] CVE-2024-56738
+
+Backport an algorithmic change to grub_crypto_memcmp() so that it completes in
+constant time and thus isn't susceptible to side-channel attacks.
+
+This is a partial backport of grub 0739d24cd
+("libgcrypt: Adjust import script, definitions and API users for libgcrypt 1.11")
+
+CVE: CVE-2024-56738
+Upstream-Status: Backport [0739d24cd]
+Signed-off-by: Ross Burton <ross.burton@arm.com>
+Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
+---
+ grub-core/lib/crypto.c | 23 ++++++++++++++++-------
+ include/grub/crypto.h  |  2 +-
+ 2 files changed, 17 insertions(+), 8 deletions(-)
+
+diff --git a/grub-core/lib/crypto.c b/grub-core/lib/crypto.c
+index ca334d5..1bfa922 100644
+--- a/grub-core/lib/crypto.c
++++ b/grub-core/lib/crypto.c
+@@ -433,19 +433,28 @@ grub_crypto_gcry_error (gcry_err_code_t in)
+   return GRUB_ACCESS_DENIED;
+ }
+
++/*
++ * Compare byte arrays of length LEN, return 1 if it's not same,
++ * 0, otherwise.
++ */
+ int
+-grub_crypto_memcmp (const void *a, const void *b, grub_size_t n)
++grub_crypto_memcmp (const void *b1, const void *b2, grub_size_t len)
+ {
+-  register grub_size_t counter = 0;
+-  const grub_uint8_t *pa, *pb;
++  const grub_uint8_t *a = b1;
++  const grub_uint8_t *b = b2;
++  int ab, ba;
++  grub_size_t i;
+
+-  for (pa = a, pb = b; n; pa++, pb++, n--)
++  /* Constant-time compare. */
++  for (i = 0, ab = 0, ba = 0; i < len; i++)
+     {
+-      if (*pa != *pb)
+-	counter++;
++      /* If a[i] != b[i], either ab or ba will be negative. */
++      ab |= a[i] - b[i];
++      ba |= b[i] - a[i];
+     }
+
+-  return !!counter;
++  /* 'ab | ba' is negative when buffers are not equal, extract sign bit.  */
++  return ((unsigned int)(ab | ba) >> (sizeof(unsigned int) * 8 - 1)) & 1;
+ }
+
+ #ifndef GRUB_UTIL
+diff --git a/include/grub/crypto.h b/include/grub/crypto.h
+index 21cd1f7..432912b 100644
+--- a/include/grub/crypto.h
++++ b/include/grub/crypto.h
+@@ -393,7 +393,7 @@ grub_crypto_pbkdf2 (const struct gcry_md_spec *md,
+		    grub_uint8_t *DK, grub_size_t dkLen);
+
+ int
+-grub_crypto_memcmp (const void *a, const void *b, grub_size_t n);
++grub_crypto_memcmp (const void *b1, const void *b2, grub_size_t len);
+
+ int
+ grub_password_get (char buf[], unsigned buf_size);
+--
+2.40.0

meta/recipes-bsp/grub/files/CVE-2025-61661.patch

@@ -0,0 +1,40 @@
+From 9c2ae73b549a653f5f1bd5d4edebc50a764bad06 Mon Sep 17 00:00:00 2001
+From: Jamie <volticks@gmail.com>
+Date: Mon, 14 Jul 2025 09:52:59 +0100
+Subject: [PATCH 1/3] commands/usbtest: Use correct string length field
+
+An incorrect length field is used for buffer allocation. This leads to
+grub_utf16_to_utf8() receiving an incorrect/different length and possibly
+causing OOB write. This makes sure to use the correct length.
+
+Fixes: CVE-2025-61661
+
+CVE: CVE-2025-61661
+
+Upstream-Status: Backport
+[https://gitweb.git.savannah.gnu.org/gitweb/?p=grub.git;a=commit;h=549a9cc372fd0b96a4ccdfad0e12140476cc62a3]
+
+Reported-by: Jamie <volticks@gmail.com>
+Signed-off-by: Jamie <volticks@gmail.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+Signed-off-by: Jiaying Song <jiaying.song.cn@windriver.com>
+---
+ grub-core/commands/usbtest.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/grub-core/commands/usbtest.c b/grub-core/commands/usbtest.c
+index 2c6d93fe6..8ef187a9a 100644
+--- a/grub-core/commands/usbtest.c
++++ b/grub-core/commands/usbtest.c
+@@ -99,7 +99,7 @@ grub_usb_get_string (grub_usb_device_t dev, grub_uint8_t index, int langid,
+       return GRUB_USB_ERR_NONE;
+     }
+ 
+-  *string = grub_malloc (descstr.length * 2 + 1);
++  *string = grub_malloc (descstrp->length * 2 + 1);
+   if (! *string)
+     {
+       grub_free (descstrp);
+-- 
+2.34.1
+

meta/recipes-bsp/grub/files/CVE-2025-61662.patch

@@ -0,0 +1,72 @@
+From c47760a907c91283bac9a8400d6975574b1d3986 Mon Sep 17 00:00:00 2001
+From: Alec Brown <alec.r.brown@oracle.com>
+Date: Thu, 21 Aug 2025 21:14:06 +0000
+Subject: [PATCH 2/3] gettext/gettext: Unregister gettext command on module
+ unload
+
+When the gettext module is loaded, the gettext command is registered but
+isn't unregistered when the module is unloaded. We need to add a call to
+grub_unregister_command() when unloading the module.
+
+Fixes: CVE-2025-61662
+
+CVE: CVE-2025-61662
+
+Upstream-Status: Backport
+[https://gitweb.git.savannah.gnu.org/gitweb/?p=grub.git;a=commit;h=8ed78fd9f0852ab218cc1f991c38e5a229e43807]
+
+Reported-by: Alec Brown <alec.r.brown@oracle.com>
+Signed-off-by: Alec Brown <alec.r.brown@oracle.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+Signed-off-by: Jiaying Song <jiaying.song.cn@windriver.com>
+---
+ grub-core/gettext/gettext.c | 19 ++++++++++++-------
+ 1 file changed, 12 insertions(+), 7 deletions(-)
+
+diff --git a/grub-core/gettext/gettext.c b/grub-core/gettext/gettext.c
+index 7a25c9d67..ef1258ee0 100644
+--- a/grub-core/gettext/gettext.c
++++ b/grub-core/gettext/gettext.c
+@@ -502,6 +502,8 @@ grub_cmd_translate (grub_command_t cmd __attribute__ ((unused)),
+   return 0;
+ }
+ 
++static grub_command_t cmd;
++
+ GRUB_MOD_INIT (gettext)
+ {
+   const char *lang;
+@@ -521,13 +523,14 @@ GRUB_MOD_INIT (gettext)
+   grub_register_variable_hook ("locale_dir", NULL, read_main);
+   grub_register_variable_hook ("secondary_locale_dir", NULL, read_secondary);
+ 
+-  grub_register_command_p1 ("gettext", grub_cmd_translate,
+-			    N_("STRING"),
+-			    /* TRANSLATORS: It refers to passing the string through gettext.
+-			       So it's "translate" in the same meaning as in what you're 
+-			       doing now.
+-			     */
+-			    N_("Translates the string with the current settings."));
++  cmd = grub_register_command_p1 ("gettext", grub_cmd_translate,
++				  N_("STRING"),
++				  /*
++				   * TRANSLATORS: It refers to passing the string through gettext.
++				   * So it's "translate" in the same meaning as in what you're
++				   * doing now.
++				   */
++				  N_("Translates the string with the current settings."));
+ 
+   /* Reload .mo file information if lang changes.  */
+   grub_register_variable_hook ("lang", NULL, grub_gettext_env_write_lang);
+@@ -544,6 +547,8 @@ GRUB_MOD_FINI (gettext)
+   grub_register_variable_hook ("secondary_locale_dir", NULL, NULL);
+   grub_register_variable_hook ("lang", NULL, NULL);
+ 
++  grub_unregister_command (cmd);
++
+   grub_gettext_delete_list (&main_context);
+   grub_gettext_delete_list (&secondary_context);
+ 
+-- 
+2.34.1
+

meta/recipes-bsp/grub/files/CVE-2025-61663_61664.patch

@@ -0,0 +1,64 @@
+From a182bd873e4aa93205ecbb7845ef7f0eda99dcf5 Mon Sep 17 00:00:00 2001
+From: Alec Brown <alec.r.brown@oracle.com>
+Date: Thu, 21 Aug 2025 21:14:07 +0000
+Subject: [PATCH 3/3] normal/main: Unregister commands on module unload
+
+When the normal module is loaded, the normal and normal_exit commands
+are registered but aren't unregistered when the module is unloaded. We
+need to add calls to grub_unregister_command() when unloading the module
+for these commands.
+
+Fixes: CVE-2025-61663
+Fixes: CVE-2025-61664
+
+CVE: CVE-2025-61663 CVE-2025-61664
+
+Upstream-Status: Backport
+[https://gitweb.git.savannah.gnu.org/gitweb/?p=grub.git;a=commit;h=05d3698b8b03eccc49e53491bbd75dba15f40917]
+
+Reported-by: Alec Brown <alec.r.brown@oracle.com>
+Signed-off-by: Alec Brown <alec.r.brown@oracle.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+Signed-off-by: Jiaying Song <jiaying.song.cn@windriver.com>
+---
+ grub-core/normal/main.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+diff --git a/grub-core/normal/main.c b/grub-core/normal/main.c
+index a95c25e5f..9d576de7a 100644
+--- a/grub-core/normal/main.c
++++ b/grub-core/normal/main.c
+@@ -499,7 +499,7 @@ grub_mini_cmd_clear (struct grub_command *cmd __attribute__ ((unused)),
+   return 0;
+ }
+ 
+-static grub_command_t cmd_clear;
++static grub_command_t cmd_clear, cmd_normal, cmd_normal_exit;
+ 
+ static void (*grub_xputs_saved) (const char *str);
+ static const char *features[] = {
+@@ -541,10 +541,10 @@ GRUB_MOD_INIT(normal)
+   grub_env_export ("pager");
+ 
+   /* Register a command "normal" for the rescue mode.  */
+-  grub_register_command ("normal", grub_cmd_normal,
+-			 0, N_("Enter normal mode."));
+-  grub_register_command ("normal_exit", grub_cmd_normal_exit,
+-			 0, N_("Exit from normal mode."));
++  cmd_normal = grub_register_command ("normal", grub_cmd_normal,
++				      0, N_("Enter normal mode."));
++  cmd_normal_exit = grub_register_command ("normal_exit", grub_cmd_normal_exit,
++					   0, N_("Exit from normal mode."));
+ 
+   /* Reload terminal colors when these variables are written to.  */
+   grub_register_variable_hook ("color_normal", NULL, grub_env_write_color_normal);
+@@ -586,4 +586,6 @@ GRUB_MOD_FINI(normal)
+   grub_register_variable_hook ("color_highlight", NULL, NULL);
+   grub_fs_autoload_hook = 0;
+   grub_unregister_command (cmd_clear);
++  grub_unregister_command (cmd_normal);
++  grub_unregister_command (cmd_normal_exit);
+ }
+-- 
+2.34.1
+

meta/recipes-bsp/grub/grub2.inc

@@ -59,6 +59,10 @@ SRC_URI = "${GNU_MIRROR}/grub/grub-${PV}.tar.gz \
            file://CVE-2025-0678_CVE-2025-1125.patch \
            file://CVE-2025-0690.patch \
            file://CVE-2025-1118.patch \
+           file://CVE-2024-56738.patch \
+           file://CVE-2025-61661.patch \
+           file://CVE-2025-61662.patch \
+           file://CVE-2025-61663_61664.patch \
 "
 
 SRC_URI[sha256sum] = "23b64b4c741569f9426ed2e3d0e6780796fca081bee4c99f62aa3f53ae803f5f"
@@ -69,6 +73,8 @@ CVE_CHECK_IGNORE += "CVE-2019-14865"
 CVE_CHECK_IGNORE += "CVE-2021-46705"
 # not-applicable-platform: Applies only to RHEL/Fedora
 CVE_CHECK_IGNORE += "CVE-2024-1048 CVE-2023-4001"
+# not-applicable-platform: Applies only to Ubuntu
+CVE_CHECK_IGNORE += "CVE-2024-2312"
 
 DEPENDS = "flex-native bison-native gettext-native"
 

meta/recipes-bsp/u-boot/files/0001-Include-cstddef-in-the-header-for-C.patch

@@ -0,0 +1,27 @@
+From 10c9a571f1c0472799f72b1924b039aab231e95f Mon Sep 17 00:00:00 2001
+From: Oleksandr Kravchuk <open.source@oleksandr-kravchuk.com>
+Date: Thu, 16 Dec 2021 16:19:50 +0100
+Subject: [PATCH] Include cstddef in the header for C++
+
+So C++ compiler always has access to the definition of size_t.
+
+Signed-off-by: Oleksandr Kravchuk <open.source@oleksandr-kravchuk.com>
+Signed-off-by: Youngseok Jeong <youngseok1.jeong@lge.com>
+Upstream-Status: Backport [v0.3.3 https://github.com/sbabic/libubootenv/pull/19/commits/764226a7de2ea79b182d92829922489537c766fa]
+---
+ src/libuboot.h | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/src/libuboot.h b/src/libuboot.h
+index 88f0558..1f305f4 100644
+--- a/src/libuboot.h
++++ b/src/libuboot.h
+@@ -6,6 +6,8 @@
+  */
+ 
+ #ifdef __cplusplus
++#include <cstddef>
++
+ extern "C" {
+ #endif
+ 

meta/recipes-bsp/u-boot/files/CVE-2024-42040.patch

@@ -0,0 +1,56 @@
+From 1406fc918977bba4dac0af5e22e63a5553aa6aff Mon Sep 17 00:00:00 2001
+From: Paul HENRYS <paul.henrys_ext@softathome.com>
+Date: Thu, 9 Oct 2025 17:43:28 +0200
+Subject: [PATCH] net: bootp: Prevent buffer overflow to avoid leaking the RAM
+ content
+
+CVE-2024-42040 describes a possible buffer overflow when calling
+bootp_process_vendor() in bootp_handler() since the total length
+of the packet is passed to bootp_process_vendor() without being
+reduced to len-(offsetof(struct bootp_hdr,bp_vend)+4).
+
+The packet length is also checked against its minimum size to avoid
+reading data from struct bootp_hdr outside of the packet length.
+
+Signed-off-by: Paul HENRYS <paul.henrys_ext@softathome.com>
+Signed-off-by: Philippe Reynes <philippe.reynes@softathome.com>
+
+CVE: CVE-2024-42040
+Upstream-Status: Backport [https://source.denx.de/u-boot/u-boot/-/commit/81e5708cc2c865df606e49aed5415adb2a662171]
+Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
+---
+ net/bootp.c | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/net/bootp.c b/net/bootp.c
+index 68002909634..843180d296c 100644
+--- a/net/bootp.c
++++ b/net/bootp.c
+@@ -362,6 +362,14 @@ static void bootp_handler(uchar *pkt, unsigned dest, struct in_addr sip,
+ 	debug("got BOOTP packet (src=%d, dst=%d, len=%d want_len=%zu)\n",
+ 	      src, dest, len, sizeof(struct bootp_hdr));
+ 
++	/* Check the minimum size of a BOOTP packet is respected.
++	 * A BOOTP packet is between 300 bytes and 576 bytes big
++	 */
++	if (len < offsetof(struct bootp_hdr, bp_vend) + 64) {
++		printf("Error: got an invalid BOOTP packet (len=%u)\n", len);
++		return;
++	}
++
+ 	bp = (struct bootp_hdr *)pkt;
+ 
+ 	/* Filter out pkts we don't want */
+@@ -379,7 +387,8 @@ static void bootp_handler(uchar *pkt, unsigned dest, struct in_addr sip,
+ 
+ 	/* Retrieve extended information (we must parse the vendor area) */
+ 	if (net_read_u32((u32 *)&bp->bp_vend[0]) == htonl(BOOTP_VENDOR_MAGIC))
+-		bootp_process_vendor((uchar *)&bp->bp_vend[4], len);
++		bootp_process_vendor((uchar *)&bp->bp_vend[4], len -
++				     (offsetof(struct bootp_hdr, bp_vend) + 4));
+ 
+ 	net_set_timeout_handler(0, (thand_f *)0);
+ 	bootstage_mark_name(BOOTSTAGE_ID_BOOTP_STOP, "bootp_stop");
+-- 
+2.49.0
+

meta/recipes-bsp/u-boot/libubootenv_0.3.2.bb

@@ -10,7 +10,11 @@ LICENSE = "LGPL-2.1-only"
 LIC_FILES_CHKSUM = "file://Licenses/lgpl-2.1.txt;md5=4fbd65380cdd255951079008b364516c"
 SECTION = "libs"
 
-SRC_URI = "git://github.com/sbabic/libubootenv;protocol=https;branch=master"
+SRC_URI = " \
+    git://github.com/sbabic/libubootenv;protocol=https;branch=master \
+    file://0001-Include-cstddef-in-the-header-for-C.patch \
+"
+
 SRCREV = "ba7564f5006d09bec51058cf4f5ac90d4dc18b3c"
 
 S = "${WORKDIR}/git"

meta/recipes-bsp/u-boot/u-boot-common.inc

@@ -14,7 +14,9 @@ PE = "1"
 # repo during parse
 SRCREV = "d637294e264adfeb29f390dfc393106fd4d41b17"
 
-SRC_URI = "git://source.denx.de/u-boot/u-boot.git;protocol=https;branch=master"
+SRC_URI = "git://source.denx.de/u-boot/u-boot.git;protocol=https;branch=master \
+           file://CVE-2024-42040.patch \
+"
 
 S = "${WORKDIR}/git"
 B = "${WORKDIR}/build"

meta/recipes-connectivity/avahi/avahi_0.8.bb

@@ -36,6 +36,7 @@ SRC_URI = "https://github.com/lathiat/avahi/releases/download/v${PV}/avahi-${PV}
            file://CVE-2023-38472.patch \
            file://CVE-2023-38473.patch \
            file://CVE-2024-52616.patch \
+           file://CVE-2024-52615.patch \
            "
 
 UPSTREAM_CHECK_URI = "https://github.com/lathiat/avahi/releases/"

meta/recipes-connectivity/avahi/files/CVE-2024-52615.patch

@@ -0,0 +1,228 @@
+From 4e2e1ea0908d7e6ad7f38ae04fdcdf2411f8b942 Mon Sep 17 00:00:00 2001
+From: Michal Sekletar <msekleta@redhat.com>
+Date: Wed, 27 Nov 2024 18:07:32 +0100
+Subject: [PATCH] core/wide-area: fix for CVE-2024-52615
+
+CVE: CVE-2024-52615
+Upstream-Status: Backport [https://github.com/avahi/avahi/commit/4e2e1ea0908d7e6ad7f38ae04fdcdf2411f8b942]
+
+Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
+---
+ avahi-core/wide-area.c | 128 ++++++++++++++++++++++-------------------
+ 1 file changed, 69 insertions(+), 59 deletions(-)
+
+diff --git a/avahi-core/wide-area.c b/avahi-core/wide-area.c
+index 00a15056e..06df7afc6 100644
+--- a/avahi-core/wide-area.c
++++ b/avahi-core/wide-area.c
+@@ -81,6 +81,10 @@ struct AvahiWideAreaLookup {
+ 
+     AvahiAddress dns_server_used;
+ 
++    int fd;
++    AvahiWatch *watch;
++    AvahiProtocol proto;
++
+     AVAHI_LLIST_FIELDS(AvahiWideAreaLookup, lookups);
+     AVAHI_LLIST_FIELDS(AvahiWideAreaLookup, by_key);
+ };
+@@ -88,9 +92,6 @@ struct AvahiWideAreaLookup {
+ struct AvahiWideAreaLookupEngine {
+     AvahiServer *server;
+ 
+-    int fd_ipv4, fd_ipv6;
+-    AvahiWatch *watch_ipv4, *watch_ipv6;
+-
+     /* Cache */
+     AVAHI_LLIST_HEAD(AvahiWideAreaCacheEntry, cache);
+     AvahiHashmap *cache_by_key;
+@@ -125,35 +126,67 @@ static AvahiWideAreaLookup* find_lookup(AvahiWideAreaLookupEngine *e, uint16_t i
+     return l;
+ }
+ 
++static void socket_event(AVAHI_GCC_UNUSED AvahiWatch *w, int fd, AVAHI_GCC_UNUSED AvahiWatchEvent events, void *userdata);
++
+ static int send_to_dns_server(AvahiWideAreaLookup *l, AvahiDnsPacket *p) {
++    AvahiWideAreaLookupEngine *e;
+     AvahiAddress *a;
++    AvahiServer *s;
++    AvahiWatch *w;
++    int r;
+ 
+     assert(l);
+     assert(p);
+ 
+-    if (l->engine->n_dns_servers <= 0)
++    e = l->engine;
++    assert(e);
++
++    s = e->server;
++    assert(s);
++
++    if (e->n_dns_servers <= 0)
+         return -1;
+ 
+-    assert(l->engine->current_dns_server < l->engine->n_dns_servers);
++    assert(e->current_dns_server < e->n_dns_servers);
+ 
+-    a = &l->engine->dns_servers[l->engine->current_dns_server];
++    a = &e->dns_servers[e->current_dns_server];
+     l->dns_server_used = *a;
+ 
+-    if (a->proto == AVAHI_PROTO_INET) {
++    if (l->fd >= 0) {
++        /* We are reusing lookup object and sending packet to another server so let's cleanup before we establish connection to new server. */
++        s->poll_api->watch_free(l->watch);
++        l->watch = NULL;
+ 
+-        if (l->engine->fd_ipv4 < 0)
+-            return -1;
++        close(l->fd);
++        l->fd = -EBADF;
++    }
+ 
+-        return avahi_send_dns_packet_ipv4(l->engine->fd_ipv4, AVAHI_IF_UNSPEC, p, NULL, &a->data.ipv4, AVAHI_DNS_PORT);
++    assert(a->proto == AVAHI_PROTO_INET || a->proto == AVAHI_PROTO_INET6);
+ 
+-    } else {
+-        assert(a->proto == AVAHI_PROTO_INET6);
++    if (a->proto == AVAHI_PROTO_INET)
++        r = s->config.use_ipv4 ? avahi_open_unicast_socket_ipv4() : -1;
++    else
++        r = s->config.use_ipv6 ? avahi_open_unicast_socket_ipv6() : -1;
+ 
+-        if (l->engine->fd_ipv6 < 0)
+-            return -1;
++    if (r < 0) {
++        avahi_log_error(__FILE__ ": Failed to create socket for wide area lookup");
++        return -1;
++    }
+ 
+-        return avahi_send_dns_packet_ipv6(l->engine->fd_ipv6, AVAHI_IF_UNSPEC, p, NULL, &a->data.ipv6, AVAHI_DNS_PORT);
++    w = s->poll_api->watch_new(s->poll_api, r, AVAHI_WATCH_IN, socket_event, l);
++    if (!w) {
++        close(r);
++        avahi_log_error(__FILE__ ": Failed to create socket watch for wide area lookup");
++        return -1;
+     }
++
++    l->fd = r;
++    l->watch = w;
++    l->proto = a->proto;
++
++    return a->proto == AVAHI_PROTO_INET ?
++                avahi_send_dns_packet_ipv4(l->fd, AVAHI_IF_UNSPEC, p, NULL, &a->data.ipv4, AVAHI_DNS_PORT):
++                avahi_send_dns_packet_ipv6(l->fd, AVAHI_IF_UNSPEC, p, NULL, &a->data.ipv6, AVAHI_DNS_PORT);
+ }
+ 
+ static void next_dns_server(AvahiWideAreaLookupEngine *e) {
+@@ -246,6 +279,9 @@ AvahiWideAreaLookup *avahi_wide_area_lookup_new(
+     l->dead = 0;
+     l->key = avahi_key_ref(key);
+     l->cname_key = avahi_key_new_cname(l->key);
++    l->fd = -EBADF;
++    l->watch = NULL;
++    l->proto = AVAHI_PROTO_UNSPEC;
+     l->callback = callback;
+     l->userdata = userdata;
+ 
+@@ -314,6 +350,12 @@ static void lookup_destroy(AvahiWideAreaLookup *l) {
+     if (l->cname_key)
+         avahi_key_unref(l->cname_key);
+ 
++    if (l->watch)
++            l->engine->server->poll_api->watch_free(l->watch);
++
++    if (l->fd >= 0)
++        close(l->fd);
++
+     avahi_free(l);
+ }
+ 
+@@ -572,14 +614,20 @@ static void handle_packet(AvahiWideAreaLookupEngine *e, AvahiDnsPacket *p) {
+ }
+ 
+ static void socket_event(AVAHI_GCC_UNUSED AvahiWatch *w, int fd, AVAHI_GCC_UNUSED AvahiWatchEvent events, void *userdata) {
+-    AvahiWideAreaLookupEngine *e = userdata;
++    AvahiWideAreaLookup *l = userdata;
++    AvahiWideAreaLookupEngine *e = l->engine;
+     AvahiDnsPacket *p = NULL;
+ 
+-    if (fd == e->fd_ipv4)
+-        p = avahi_recv_dns_packet_ipv4(e->fd_ipv4, NULL, NULL, NULL, NULL, NULL);
++    assert(l);
++    assert(e);
++    assert(l->fd == fd);
++
++    if (l->proto == AVAHI_PROTO_INET)
++        p = avahi_recv_dns_packet_ipv4(l->fd, NULL, NULL, NULL, NULL, NULL);
+     else {
+-        assert(fd == e->fd_ipv6);
+-        p = avahi_recv_dns_packet_ipv6(e->fd_ipv6, NULL, NULL, NULL, NULL, NULL);
++        assert(l->proto == AVAHI_PROTO_INET6);
++
++        p = avahi_recv_dns_packet_ipv6(l->fd, NULL, NULL, NULL, NULL, NULL);
+     }
+ 
+     if (p) {
+@@ -598,32 +646,6 @@ AvahiWideAreaLookupEngine *avahi_wide_area_engine_new(AvahiServer *s) {
+     e->server = s;
+     e->cleanup_dead = 0;
+ 
+-    /* Create sockets */
+-    e->fd_ipv4 = s->config.use_ipv4 ? avahi_open_unicast_socket_ipv4() : -1;
+-    e->fd_ipv6 = s->config.use_ipv6 ? avahi_open_unicast_socket_ipv6() : -1;
+-
+-    if (e->fd_ipv4 < 0 && e->fd_ipv6 < 0) {
+-        avahi_log_error(__FILE__": Failed to create wide area sockets: %s", strerror(errno));
+-
+-        if (e->fd_ipv6 >= 0)
+-            close(e->fd_ipv6);
+-
+-        if (e->fd_ipv4 >= 0)
+-            close(e->fd_ipv4);
+-
+-        avahi_free(e);
+-        return NULL;
+-    }
+-
+-    /* Create watches */
+-
+-    e->watch_ipv4 = e->watch_ipv6 = NULL;
+-
+-    if (e->fd_ipv4 >= 0)
+-        e->watch_ipv4 = s->poll_api->watch_new(e->server->poll_api, e->fd_ipv4, AVAHI_WATCH_IN, socket_event, e);
+-    if (e->fd_ipv6 >= 0)
+-        e->watch_ipv6 = s->poll_api->watch_new(e->server->poll_api, e->fd_ipv6, AVAHI_WATCH_IN, socket_event, e);
+-
+     e->n_dns_servers = e->current_dns_server = 0;
+ 
+     /* Initialize cache */
+@@ -651,18 +673,6 @@ void avahi_wide_area_engine_free(AvahiWideAreaLookupEngine *e) {
+     avahi_hashmap_free(e->lookups_by_id);
+     avahi_hashmap_free(e->lookups_by_key);
+ 
+-    if (e->watch_ipv4)
+-        e->server->poll_api->watch_free(e->watch_ipv4);
+-
+-    if (e->watch_ipv6)
+-        e->server->poll_api->watch_free(e->watch_ipv6);
+-
+-    if (e->fd_ipv6 >= 0)
+-        close(e->fd_ipv6);
+-
+-    if (e->fd_ipv4 >= 0)
+-        close(e->fd_ipv4);
+-
+     avahi_free(e);
+ }
+ 
+@@ -680,7 +690,7 @@ void avahi_wide_area_set_servers(AvahiWideAreaLookupEngine *e, const AvahiAddres
+ 
+     if (a) {
+         for (e->n_dns_servers = 0; n > 0 && e->n_dns_servers < AVAHI_WIDE_AREA_SERVERS_MAX; a++, n--)
+-            if ((a->proto == AVAHI_PROTO_INET && e->fd_ipv4 >= 0) || (a->proto == AVAHI_PROTO_INET6 && e->fd_ipv6 >= 0))
++            if (a->proto == AVAHI_PROTO_INET || a->proto == AVAHI_PROTO_INET6)
+                 e->dns_servers[e->n_dns_servers++] = *a;
+     } else {
+         assert(n == 0);

meta/recipes-connectivity/bind/bind_9.18.41.bb

@@ -20,7 +20,7 @@ SRC_URI = "https://ftp.isc.org/isc/bind9/${PV}/${BPN}-${PV}.tar.xz \
            file://0001-avoid-start-failure-with-bind-user.patch \
            "
 
-SRC_URI[sha256sum] = "fb373fac5ebbc41c645160afd5a9fb451918f6c0e69ab1d9474154e2b515de40"
+SRC_URI[sha256sum] = "6ddc1d981511c4da0b203b0513af131e5d15e5f1c261145736fe1f35dd1fe79d"
 
 UPSTREAM_CHECK_URI = "https://ftp.isc.org/isc/bind9/"
 # follow the ESV versions divisible by 2

meta/recipes-connectivity/connman/connman/CVE-2025-32366.patch

@@ -0,0 +1,41 @@
+From 8d3be0285f1d4667bfe85dba555c663eb3d704b4 Mon Sep 17 00:00:00 2001
+From: Yoonje Shin <ioerts@kookmin.ac.kr>
+Date: Mon, 12 May 2025 10:48:18 +0200
+Subject: [PATCH] dnsproxy: Address CVE-2025-32366 vulnerability
+
+In Connman parse_rr in dnsproxy.c has a memcpy length
+that depends on an RR RDLENGTH value (i.e., *rdlen=ntohs(rr->rdlen)
+and memcpy(response+offset,*end,*rdlen)). Here, rdlen may be larger
+than the amount of remaining packet data in the current state of
+parsing. As a result, values of stack memory locations may be sent
+over the network in a response.
+
+This patch adds a check to ensure that (*end + *rdlen) does not exceed
+the valid range. If the condition is violated, the function returns
+-EINVAL.
+
+CVE: CVE-2025-32366
+
+Upstream-Status: Backport [https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=8d3be0285f1d4667bfe85dba555c663eb3d704b4]
+
+Signed-off-by: Praveen Kumar <praveen.kumar@windriver.com>
+---
+ src/dnsproxy.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/dnsproxy.c b/src/dnsproxy.c
+index 334dd00..74aed50 100644
+--- a/src/dnsproxy.c
++++ b/src/dnsproxy.c
+@@ -950,6 +950,9 @@ static int parse_rr(unsigned char *buf, unsigned char *start,
+	if ((unsigned int) (offset + *rdlen) > *response_size)
+		return -ENOBUFS;
+
++	if ((*end + *rdlen) > max)
++		return -EINVAL;
++
+	memcpy(response + offset, *end, *rdlen);
+
+	*end += *rdlen;
+--
+2.40.0

meta/recipes-connectivity/connman/connman_1.41.bb

@@ -10,6 +10,7 @@ SRC_URI = "${KERNELORG_MIRROR}/linux/network/${BPN}/${BP}.tar.xz \
            file://CVE-2022-32292.patch \
            file://CVE-2023-28488.patch \
            file://CVE-2025-32743.patch \
+           file://CVE-2025-32366.patch \
            "
 
 SRC_URI:append:libc-musl = " file://0002-resolve-musl-does-not-implement-res_ninit.patch"

meta/recipes-connectivity/libpcap/libpcap/CVE-2025-11961-01.patch

@@ -0,0 +1,38 @@
+From 7224be0fe2f4beb916b7b69141f478facd0f0634 Mon Sep 17 00:00:00 2001
+From: Denis Ovsienko <denis@ovsienko.info>
+Date: Sat, 27 Dec 2025 21:36:11 +0000
+Subject: [PATCH] Rename one of the xdtoi() copies to simplify backporting.
+
+CVE: CVE-2025-11961
+Upstream-Status: Backport [https://github.com/the-tcpdump-group/libpcap/commit/7224be0fe2f4beb916b7b69141f478facd0f0634]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ nametoaddr.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/nametoaddr.c b/nametoaddr.c
+index dc75495c..bdaacbf1 100644
+--- a/nametoaddr.c
++++ b/nametoaddr.c
+@@ -646,7 +646,7 @@ pcap_nametollc(const char *s)
+ 
+ /* Hex digit to 8-bit unsigned integer. */
+ static inline u_char
+-xdtoi(u_char c)
++pcapint_xdtoi(u_char c)
+ {
+ 	if (c >= '0' && c <= '9')
+ 		return (u_char)(c - '0');
+@@ -728,10 +728,10 @@ pcap_ether_aton(const char *s)
+ 	while (*s) {
+ 		if (*s == ':' || *s == '.' || *s == '-')
+ 			s += 1;
+-		d = xdtoi(*s++);
++		d = pcapint_xdtoi(*s++);
+ 		if (PCAP_ISXDIGIT(*s)) {
+ 			d <<= 4;
+-			d |= xdtoi(*s++);
++			d |= pcapint_xdtoi(*s++);
+ 		}
+ 		*ep++ = d;
+ 	}

meta/recipes-connectivity/libpcap/libpcap/CVE-2025-11961-02.patch

@@ -0,0 +1,433 @@
+From b2d2f9a9a0581c40780bde509f7cc715920f1c02 Mon Sep 17 00:00:00 2001
+From: Denis Ovsienko <denis@ovsienko.info>
+Date: Fri, 19 Dec 2025 17:31:13 +0000
+Subject: [PATCH] CVE-2025-11961: Fix OOBR and OOBW in pcap_ether_aton().
+
+pcap_ether_aton() has for a long time required its string argument to be
+a well-formed MAC-48 address, which is always the case when the argument
+comes from other libpcap code, so the function has never validated the
+input and used a simple loop to parse any of the three common MAC-48
+address formats.  However, the function has also been a part of the
+public API, so calling it directly with a malformed address can cause
+the loop to read beyond the end of the input string and/or to write
+beyond the end of the allocated output buffer.
+
+To handle invalid input more appropriately, replace the simple loop with
+new functions and require the input to match a supported address format.
+
+This problem was reported by Jin Wei, Kunwei Qian and Ping Chen.
+
+(backported from commit dd08e53e9380e217ae7c7768da9cc3d7bf37bf83)
+
+CVE: CVE-2025-11961
+Upstream-Status: Backport [https://github.com/the-tcpdump-group/libpcap/commit/b2d2f9a9a0581c40780bde509f7cc715920f1c02]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ gencode.c    |   5 +
+ nametoaddr.c | 367 +++++++++++++++++++++++++++++++++++++++++++++++----
+ 2 files changed, 349 insertions(+), 23 deletions(-)
+
+diff --git a/gencode.c b/gencode.c
+index 3ddd15f8..76fb2d82 100644
+--- a/gencode.c
++++ b/gencode.c
+@@ -7206,6 +7206,11 @@ gen_ecode(compiler_state_t *cstate, const char *s, struct qual q)
+ 		return (NULL);
+ 
+ 	if ((q.addr == Q_HOST || q.addr == Q_DEFAULT) && q.proto == Q_LINK) {
++		/*
++		 * Because the lexer guards the input string format, in this
++		 * context the function returns NULL iff the implicit malloc()
++		 * has failed.
++		 */
+ 		cstate->e = pcap_ether_aton(s);
+ 		if (cstate->e == NULL)
+ 			bpf_error(cstate, "malloc");
+diff --git a/nametoaddr.c b/nametoaddr.c
+index f9fcd288..f50d0da5 100644
+--- a/nametoaddr.c
++++ b/nametoaddr.c
+@@ -703,39 +703,360 @@ __pcap_atodn(const char *s, bpf_u_int32 *addr)
+ 	return(32);
+ }
+ 
++// Man page: "xxxxxxxxxxxx", regexp: "^[0-9a-fA-F]{12}$".
++static u_char
++pcapint_atomac48_xxxxxxxxxxxx(const char *s, uint8_t *addr)
++{
++	if (strlen(s) == 12 &&
++	    PCAP_ISXDIGIT(s[0]) &&
++	    PCAP_ISXDIGIT(s[1]) &&
++	    PCAP_ISXDIGIT(s[2]) &&
++	    PCAP_ISXDIGIT(s[3]) &&
++	    PCAP_ISXDIGIT(s[4]) &&
++	    PCAP_ISXDIGIT(s[5]) &&
++	    PCAP_ISXDIGIT(s[6]) &&
++	    PCAP_ISXDIGIT(s[7]) &&
++	    PCAP_ISXDIGIT(s[8]) &&
++	    PCAP_ISXDIGIT(s[9]) &&
++	    PCAP_ISXDIGIT(s[10]) &&
++	    PCAP_ISXDIGIT(s[11])) {
++		addr[0] = pcapint_xdtoi(s[0]) << 4 | pcapint_xdtoi(s[1]);
++		addr[1] = pcapint_xdtoi(s[2]) << 4 | pcapint_xdtoi(s[3]);
++		addr[2] = pcapint_xdtoi(s[4]) << 4 | pcapint_xdtoi(s[5]);
++		addr[3] = pcapint_xdtoi(s[6]) << 4 | pcapint_xdtoi(s[7]);
++		addr[4] = pcapint_xdtoi(s[8]) << 4 | pcapint_xdtoi(s[9]);
++		addr[5] = pcapint_xdtoi(s[10]) << 4 | pcapint_xdtoi(s[11]);
++		return 1;
++	}
++	return 0;
++}
++
++// Man page: "xxxx.xxxx.xxxx", regexp: "^[0-9a-fA-F]{4}(\.[0-9a-fA-F]{4}){2}$".
++static u_char
++pcapint_atomac48_xxxx_3_times(const char *s, uint8_t *addr)
++{
++	const char sep = '.';
++	if (strlen(s) == 14 &&
++	    PCAP_ISXDIGIT(s[0]) &&
++	    PCAP_ISXDIGIT(s[1]) &&
++	    PCAP_ISXDIGIT(s[2]) &&
++	    PCAP_ISXDIGIT(s[3]) &&
++	    s[4] == sep &&
++	    PCAP_ISXDIGIT(s[5]) &&
++	    PCAP_ISXDIGIT(s[6]) &&
++	    PCAP_ISXDIGIT(s[7]) &&
++	    PCAP_ISXDIGIT(s[8]) &&
++	    s[9] == sep &&
++	    PCAP_ISXDIGIT(s[10]) &&
++	    PCAP_ISXDIGIT(s[11]) &&
++	    PCAP_ISXDIGIT(s[12]) &&
++	    PCAP_ISXDIGIT(s[13])) {
++		addr[0] = pcapint_xdtoi(s[0]) << 4 | pcapint_xdtoi(s[1]);
++		addr[1] = pcapint_xdtoi(s[2]) << 4 | pcapint_xdtoi(s[3]);
++		addr[2] = pcapint_xdtoi(s[5]) << 4 | pcapint_xdtoi(s[6]);
++		addr[3] = pcapint_xdtoi(s[7]) << 4 | pcapint_xdtoi(s[8]);
++		addr[4] = pcapint_xdtoi(s[10]) << 4 | pcapint_xdtoi(s[11]);
++		addr[5] = pcapint_xdtoi(s[12]) << 4 | pcapint_xdtoi(s[13]);
++		return 1;
++	}
++	return 0;
++}
++
+ /*
+- * Convert 's', which can have the one of the forms:
++ * Man page: "xx:xx:xx:xx:xx:xx", regexp: "^[0-9a-fA-F]{1,2}(:[0-9a-fA-F]{1,2}){5}$".
++ * Man page: "xx-xx-xx-xx-xx-xx", regexp: "^[0-9a-fA-F]{1,2}(-[0-9a-fA-F]{1,2}){5}$".
++ * Man page: "xx.xx.xx.xx.xx.xx", regexp: "^[0-9a-fA-F]{1,2}(\.[0-9a-fA-F]{1,2}){5}$".
++ * (Any "xx" above can be "x", which is equivalent to "0x".)
+  *
+- *	"xx:xx:xx:xx:xx:xx"
+- *	"xx.xx.xx.xx.xx.xx"
+- *	"xx-xx-xx-xx-xx-xx"
+- *	"xxxx.xxxx.xxxx"
+- *	"xxxxxxxxxxxx"
++ * An equivalent (and parametrisable for EUI-64) FSM could be implemented using
++ * a smaller graph, but that graph would be neither acyclic nor planar nor
++ * trivial to verify.
+  *
+- * (or various mixes of ':', '.', and '-') into a new
+- * ethernet address.  Assumes 's' is well formed.
++ *                |
++ *    [.]         v
++ * +<---------- START
++ * |              |
++ * |              | [0-9a-fA-F]
++ * |  [.]         v
++ * +<--------- BYTE0_X ----------+
++ * |              |              |
++ * |              | [0-9a-fA-F]  |
++ * |  [.]         v              |
++ * +<--------- BYTE0_XX          | [:\.-]
++ * |              |              |
++ * |              | [:\.-]       |
++ * |  [.]         v              |
++ * +<----- BYTE0_SEP_BYTE1 <-----+
++ * |              |
++ * |              | [0-9a-fA-F]
++ * |  [.]         v
++ * +<--------- BYTE1_X ----------+
++ * |              |              |
++ * |              | [0-9a-fA-F]  |
++ * |  [.]         v              |
++ * +<--------- BYTE1_XX          | <sep>
++ * |              |              |
++ * |              | <sep>        |
++ * |  [.]         v              |
++ * +<----- BYTE1_SEP_BYTE2 <-----+
++ * |              |
++ * |              | [0-9a-fA-F]
++ * |  [.]         v
++ * +<--------- BYTE2_X ----------+
++ * |              |              |
++ * |              | [0-9a-fA-F]  |
++ * |  [.]         v              |
++ * +<--------- BYTE2_XX          | <sep>
++ * |              |              |
++ * |              | <sep>        |
++ * |  [.]         v              |
++ * +<----- BYTE2_SEP_BYTE3 <-----+
++ * |              |
++ * |              | [0-9a-fA-F]
++ * |  [.]         v
++ * +<--------- BYTE3_X ----------+
++ * |              |              |
++ * |              | [0-9a-fA-F]  |
++ * |  [.]         v              |
++ * +<--------- BYTE3_XX          | <sep>
++ * |              |              |
++ * |              | <sep>        |
++ * |  [.]         v              |
++ * +<----- BYTE3_SEP_BYTE4 <-----+
++ * |              |
++ * |              | [0-9a-fA-F]
++ * |  [.]         v
++ * +<--------- BYTE4_X ----------+
++ * |              |              |
++ * |              | [0-9a-fA-F]  |
++ * |  [.]         v              |
++ * +<--------- BYTE4_XX          | <sep>
++ * |              |              |
++ * |              | <sep>        |
++ * |  [.]         v              |
++ * +<----- BYTE4_SEP_BYTE5 <-----+
++ * |              |
++ * |              | [0-9a-fA-F]
++ * |  [.]         v
++ * +<--------- BYTE5_X ----------+
++ * |              |              |
++ * |              | [0-9a-fA-F]  |
++ * |  [.]         v              |
++ * +<--------- BYTE5_XX          | \0
++ * |              |              |
++ * |              | \0           |
++ * |              |              v
++ * +--> (reject)  +---------> (accept)
++ *
++ */
++static u_char
++pcapint_atomac48_x_xx_6_times(const char *s, uint8_t *addr)
++{
++	enum {
++		START,
++		BYTE0_X,
++		BYTE0_XX,
++		BYTE0_SEP_BYTE1,
++		BYTE1_X,
++		BYTE1_XX,
++		BYTE1_SEP_BYTE2,
++		BYTE2_X,
++		BYTE2_XX,
++		BYTE2_SEP_BYTE3,
++		BYTE3_X,
++		BYTE3_XX,
++		BYTE3_SEP_BYTE4,
++		BYTE4_X,
++		BYTE4_XX,
++		BYTE4_SEP_BYTE5,
++		BYTE5_X,
++		BYTE5_XX,
++	} fsm_state = START;
++	uint8_t buf[6];
++	const char *seplist = ":.-";
++	char sep;
++
++	while (*s) {
++		switch (fsm_state) {
++		case START:
++			if (PCAP_ISXDIGIT(*s)) {
++				buf[0] = pcapint_xdtoi(*s);
++				fsm_state = BYTE0_X;
++				break;
++			}
++			goto reject;
++		case BYTE0_X:
++			if (strchr(seplist, *s)) {
++				sep = *s;
++				fsm_state = BYTE0_SEP_BYTE1;
++				break;
++			}
++			if (PCAP_ISXDIGIT(*s)) {
++				buf[0] = buf[0] << 4 | pcapint_xdtoi(*s);
++				fsm_state = BYTE0_XX;
++				break;
++			}
++			goto reject;
++		case BYTE0_XX:
++			if (strchr(seplist, *s)) {
++				sep = *s;
++				fsm_state = BYTE0_SEP_BYTE1;
++				break;
++			}
++			goto reject;
++		case BYTE0_SEP_BYTE1:
++			if (PCAP_ISXDIGIT(*s)) {
++				buf[1] = pcapint_xdtoi(*s);
++				fsm_state = BYTE1_X;
++				break;
++			}
++			goto reject;
++		case BYTE1_X:
++			if (*s == sep) {
++				fsm_state = BYTE1_SEP_BYTE2;
++				break;
++			}
++			if (PCAP_ISXDIGIT(*s)) {
++				buf[1] = buf[1] << 4 | pcapint_xdtoi(*s);
++				fsm_state = BYTE1_XX;
++				break;
++			}
++			goto reject;
++		case BYTE1_XX:
++			if (*s == sep) {
++				fsm_state = BYTE1_SEP_BYTE2;
++				break;
++			}
++			goto reject;
++		case BYTE1_SEP_BYTE2:
++			if (PCAP_ISXDIGIT(*s)) {
++				buf[2] = pcapint_xdtoi(*s);
++				fsm_state = BYTE2_X;
++				break;
++			}
++			goto reject;
++		case BYTE2_X:
++			if (*s == sep) {
++				fsm_state = BYTE2_SEP_BYTE3;
++				break;
++			}
++			if (PCAP_ISXDIGIT(*s)) {
++				buf[2] = buf[2] << 4 | pcapint_xdtoi(*s);
++				fsm_state = BYTE2_XX;
++				break;
++			}
++			goto reject;
++		case BYTE2_XX:
++			if (*s == sep) {
++				fsm_state = BYTE2_SEP_BYTE3;
++				break;
++			}
++			goto reject;
++		case BYTE2_SEP_BYTE3:
++			if (PCAP_ISXDIGIT(*s)) {
++				buf[3] = pcapint_xdtoi(*s);
++				fsm_state = BYTE3_X;
++				break;
++			}
++			goto reject;
++		case BYTE3_X:
++			if (*s == sep) {
++				fsm_state = BYTE3_SEP_BYTE4;
++				break;
++			}
++			if (PCAP_ISXDIGIT(*s)) {
++				buf[3] = buf[3] << 4 | pcapint_xdtoi(*s);
++				fsm_state = BYTE3_XX;
++				break;
++			}
++			goto reject;
++		case BYTE3_XX:
++			if (*s == sep) {
++				fsm_state = BYTE3_SEP_BYTE4;
++				break;
++			}
++			goto reject;
++		case BYTE3_SEP_BYTE4:
++			if (PCAP_ISXDIGIT(*s)) {
++				buf[4] = pcapint_xdtoi(*s);
++				fsm_state = BYTE4_X;
++				break;
++			}
++			goto reject;
++		case BYTE4_X:
++			if (*s == sep) {
++				fsm_state = BYTE4_SEP_BYTE5;
++				break;
++			}
++			if (PCAP_ISXDIGIT(*s)) {
++				buf[4] = buf[4] << 4 | pcapint_xdtoi(*s);
++				fsm_state = BYTE4_XX;
++				break;
++			}
++			goto reject;
++		case BYTE4_XX:
++			if (*s == sep) {
++				fsm_state = BYTE4_SEP_BYTE5;
++				break;
++			}
++			goto reject;
++		case BYTE4_SEP_BYTE5:
++			if (PCAP_ISXDIGIT(*s)) {
++				buf[5] = pcapint_xdtoi(*s);
++				fsm_state = BYTE5_X;
++				break;
++			}
++			goto reject;
++		case BYTE5_X:
++			if (PCAP_ISXDIGIT(*s)) {
++				buf[5] = buf[5] << 4 | pcapint_xdtoi(*s);
++				fsm_state = BYTE5_XX;
++				break;
++			}
++			goto reject;
++		case BYTE5_XX:
++			goto reject;
++		} // switch
++		s++;
++	} // while
++
++	if (fsm_state == BYTE5_X || fsm_state == BYTE5_XX) {
++		// accept
++		memcpy(addr, buf, sizeof(buf));
++		return 1;
++	}
++
++reject:
++	return 0;
++}
++
++// The 'addr' argument must point to an array of at least 6 elements.
++static int
++pcapint_atomac48(const char *s, uint8_t *addr)
++{
++	return s && (
++	    pcapint_atomac48_xxxxxxxxxxxx(s, addr) ||
++	    pcapint_atomac48_xxxx_3_times(s, addr) ||
++	    pcapint_atomac48_x_xx_6_times(s, addr)
++	);
++}
++
++/*
++ * If 's' is a MAC-48 address in one of the forms documented in pcap-filter(7)
++ * for "ether host", return a pointer to an allocated buffer with the binary
++ * value of the address.  Return NULL on any error.
+  */
+ u_char *
+ pcap_ether_aton(const char *s)
+ {
+-	register u_char *ep, *e;
+-	register u_char d;
++	uint8_t tmp[6];
++	if (! pcapint_atomac48(s, tmp))
++		return (NULL);
+ 
+-	e = ep = (u_char *)malloc(6);
++	u_char *e = malloc(6);
+ 	if (e == NULL)
+ 		return (NULL);
+-
+-	while (*s) {
+-		if (*s == ':' || *s == '.' || *s == '-')
+-			s += 1;
+-		d = pcapint_xdtoi(*s++);
+-		if (PCAP_ISXDIGIT(*s)) {
+-			d <<= 4;
+-			d |= pcapint_xdtoi(*s++);
+-		}
+-		*ep++ = d;
+-	}
+-
++	memcpy(e, tmp, sizeof(tmp));
+ 	return (e);
+ }
+ 

meta/recipes-connectivity/libpcap/libpcap/CVE-2025-11964.patch

@@ -0,0 +1,33 @@
+From 7fabf607f2319a36a0bd78444247180acb838e69 Mon Sep 17 00:00:00 2001
+From: Guy Harris <gharris@sonic.net>
+Date: Sun, 7 Sep 2025 12:51:56 -0700
+Subject: [PATCH] Fix a copy-and-pasteo in utf_16le_to_utf_8_truncated().
+
+For the four octets of UTF-8 case, it was decrementing the remaining
+buffer length by 3, not 4.
+
+Thanks to a team of developers from the Univesity of Waterloo for
+reporting this.
+
+(cherry picked from commit aebfca1aea2fc8c177760a26e8f4de27b51d1b3b)
+
+CVE: CVE-2025-11964
+Upstream-Status: Backport [https://github.com/the-tcpdump-group/libpcap/commit/7fabf607f2319a36a0bd78444247180acb838e69]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ fmtutils.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fmtutils.c b/fmtutils.c
+index a5a4fe62..78a0f8b7 100644
+--- a/fmtutils.c
++++ b/fmtutils.c
+@@ -235,7 +235,7 @@ utf_16le_to_utf_8_truncated(const wchar_t *utf_16, char *utf_8,
+ 			*utf_8++ = ((uc >> 12) & 0x3F) | 0x80;
+ 			*utf_8++ = ((uc >> 6) & 0x3F) | 0x80;
+ 			*utf_8++ = ((uc >> 0) & 0x3F) | 0x80;
+-			utf_8_len -= 3;
++			utf_8_len -= 4;
+ 		}
+ 	}
+ 

meta/recipes-connectivity/libpcap/libpcap_1.10.1.bb

@@ -17,6 +17,9 @@ SRC_URI = "https://www.tcpdump.org/release/${BP}.tar.gz \
            file://CVE-2023-7256-pre4.patch \
            file://CVE-2023-7256.patch \
            file://CVE-2024-8006.patch \
+           file://CVE-2025-11961-01.patch \
+           file://CVE-2025-11961-02.patch \
+           file://CVE-2025-11964.patch \
           "
 
 SRC_URI[sha256sum] = "ed285f4accaf05344f90975757b3dbfe772ba41d1c401c2648b7fa45b711bdd4"

meta/recipes-connectivity/nfs-utils/nfs-utils/nfsserver

@@ -66,34 +66,14 @@ start_nfsd(){
 	start-stop-daemon --start --exec "$NFS_NFSD" -- "$@"
 	echo done
 }
-delay_nfsd(){
-	for delay in 0 1 2 3 4 5 6 7 8 9 
-	do
-		if pidof nfsd >/dev/null
-		then
-			echo -n .
-			sleep 1
-		else
-			return 0
-		fi
-	done
-	return 1
-}
 stop_nfsd(){
-	# WARNING: this kills any process with the executable
-	# name 'nfsd'.
 	echo -n 'stopping nfsd: '
-	start-stop-daemon --stop --quiet --signal 1 --name nfsd
-	if delay_nfsd || {
-		echo failed
-		echo ' using signal 9: '
-		start-stop-daemon --stop --quiet --signal 9 --name nfsd
-		delay_nfsd
-	}
+	$NFS_NFSD 0
+	if pidof nfsd
 	then
-		echo done
-	else
 		echo failed
+	else
+		echo done
 	fi
 }
 

meta/recipes-connectivity/ofono/ofono/CVE-2023-4232.patch

@@ -0,0 +1,30 @@
+From 2ff2da7ac374a790f8b2a0216bcb4e3126498225 Mon Sep 17 00:00:00 2001
+From: "Sicelo A. Mhlongo" <absicsz@gmail.com>
+Date: Wed, 4 Dec 2024 10:18:52 +0200
+Subject: [PATCH] smsutil: check status report fits in buffer
+
+Fixes CVE-2023-4232
+
+CVE: CVE-2023-4232
+Upstream-Status: Backport [https://git.kernel.org/pub/scm/network/ofono/ofono.git/commit/?id=2ff2da7ac374a790f8b2a0216bcb4e3126498225]
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ src/smsutil.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/smsutil.c b/src/smsutil.c
+index ac89f16c..a706e26f 100644
+--- a/src/smsutil.c
++++ b/src/smsutil.c
+@@ -1088,6 +1088,9 @@ static gboolean decode_status_report(const unsigned char *pdu, int len,
+		if ((len - offset) < expected)
+			return FALSE;
+
++		if (expected > (int)sizeof(out->status_report.ud))
++			return FALSE;
++
+		memcpy(out->status_report.ud, pdu + offset, expected);
+	}
+
+--
+2.30.2

meta/recipes-connectivity/ofono/ofono/CVE-2023-4235.patch

@@ -0,0 +1,37 @@
+From 02aa0f9bad3d9e47a152fc045d0f51874d901d7e Mon Sep 17 00:00:00 2001
+From: "Sicelo A. Mhlongo" <absicsz@gmail.com>
+Date: Wed, 4 Dec 2024 10:18:51 +0200
+Subject: [PATCH] smsutil: check deliver reports fit in buffer
+
+Fixes CVE-2023-4235
+
+CVE: CVE-2023-4235
+Upstream-Status: Backport [https://git.kernel.org/pub/scm/network/ofono/ofono.git/commit/?id=02aa0f9bad3d9e47a152fc045d0f51874d901d7e]
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ src/smsutil.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/src/smsutil.c b/src/smsutil.c
+index 484bfd0b..ac89f16c 100644
+--- a/src/smsutil.c
++++ b/src/smsutil.c
+@@ -1240,10 +1240,16 @@ static gboolean decode_deliver_report(const unsigned char *pdu, int len,
+			return FALSE;
+
+		if (out->type == SMS_TYPE_DELIVER_REPORT_ERROR) {
++			if (expected > (int) sizeof(out->deliver_err_report.ud))
++				return FALSE;
++
+			out->deliver_err_report.udl = udl;
+			memcpy(out->deliver_err_report.ud,
+					pdu + offset, expected);
+		} else {
++			if (expected > (int) sizeof(out->deliver_ack_report.ud))
++				return FALSE;
++
+			out->deliver_ack_report.udl = udl;
+			memcpy(out->deliver_ack_report.ud,
+					pdu + offset, expected);
+--
+2.30.2

meta/recipes-connectivity/ofono/ofono_1.34.bb

@@ -26,6 +26,8 @@ SRC_URI = "\
     file://CVE-2024-7547.patch \
     file://CVE-2024-7540_CVE-2024-7541_CVE-2024-7542.patch \
     file://CVE-2024-7537.patch \
+    file://CVE-2023-4232.patch \
+    file://CVE-2023-4235.patch \
 "
 SRC_URI[sha256sum] = "c0b96d3013447ec2bcb74579bef90e4e59c68dbfa4b9c6fbce5d12401a43aac7"
 

meta/recipes-connectivity/openssh/openssh/CVE-2025-32728.patch

@@ -0,0 +1,44 @@
+From fc86875e6acb36401dfc1dfb6b628a9d1460f367 Mon Sep 17 00:00:00 2001
+From: "djm@openbsd.org" <djm@openbsd.org>
+Date: Wed, 9 Apr 2025 07:00:03 +0000
+Subject: [PATCH] upstream: Fix logic error in DisableForwarding option. This
+ option
+
+was documented as disabling X11 and agent forwarding but it failed to do so.
+Spotted by Tim Rice.
+
+OpenBSD-Commit-ID: fffc89195968f7eedd2fc57f0b1f1ef3193f5ed1
+
+Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/fc86875e6acb36401dfc1dfb6b628a9d1460f367]
+CVE: CVE-2025-32728
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ session.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/session.c b/session.c
+index e67d24d..625e97f 100644
+--- a/session.c
++++ b/session.c
+@@ -2182,7 +2182,8 @@ session_auth_agent_req(struct ssh *ssh, Session *s)
+ 	if ((r = sshpkt_get_end(ssh)) != 0)
+ 		sshpkt_fatal(ssh, r, "%s: parse packet", __func__);
+ 	if (!auth_opts->permit_agent_forwarding_flag ||
+-	    !options.allow_agent_forwarding) {
++	    !options.allow_agent_forwarding ||
++	    options.disable_forwarding) {
+ 		debug_f("agent forwarding disabled");
+ 		return 0;
+ 	}
+@@ -2568,7 +2569,7 @@ session_setup_x11fwd(struct ssh *ssh, Session *s)
+ 		ssh_packet_send_debug(ssh, "X11 forwarding disabled by key options.");
+ 		return 0;
+ 	}
+-	if (!options.x11_forwarding) {
++	if (!options.x11_forwarding || options.disable_forwarding) {
+ 		debug("X11 forwarding disabled in server configuration file.");
+ 		return 0;
+ 	}
+-- 
+2.25.1
+

meta/recipes-connectivity/openssh/openssh/CVE-2025-61984.patch

@@ -0,0 +1,98 @@
+From 35d5917652106aede47621bb3f64044604164043 Mon Sep 17 00:00:00 2001
+From: "djm@openbsd.org" <djm@openbsd.org>
+Date: Thu, 4 Sep 2025 00:29:09 +0000
+Subject: [PATCH] upstream: Improve rules for %-expansion of username.
+
+Usernames passed on the commandline will no longer be subject to
+% expansion. Some tools invoke ssh with connection information
+(i.e. usernames and host names) supplied from untrusted sources.
+These may contain % expansion sequences which could yield
+unexpected results.
+
+Since openssh-9.6, all usernames have been subject to validity
+checking. This change tightens the validity checks by refusing
+usernames that include control characters (again, these can cause
+surprises when supplied adversarially).
+
+This change also relaxes the validity checks in one small way:
+usernames supplied via the configuration file as literals (i.e.
+include no % expansion characters) are not subject to these
+validity checks. This allows usernames that contain arbitrary
+characters to be used, but only via configuration files. This
+is done on the basis that ssh's configuration is trusted.
+
+Pointed out by David Leadbeater, ok deraadt@
+
+OpenBSD-Commit-ID: e2f0c871fbe664aba30607321575e7c7fc798362
+
+CVE: CVE-2025-61984
+Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/35d5917652106aede47621bb3f64044604164043]
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ ssh.c | 11 +++++++++++++++--
+ 1 file changed, 11 insertions(+), 2 deletions(-)
+
+diff --git a/ssh.c b/ssh.c
+index 82ed15f..d4e2040 100644
+--- a/ssh.c
++++ b/ssh.c
+@@ -634,6 +634,8 @@ valid_ruser(const char *s)
+ 	if (*s == '-')
+ 		return 0;
+ 	for (i = 0; s[i] != 0; i++) {
++		if (iscntrl((u_char)s[i]))
++			return 0;
+ 		if (strchr("'`\";&<>|(){}", s[i]) != NULL)
+ 			return 0;
+ 		/* Disallow '-' after whitespace */
+@@ -655,6 +657,7 @@ main(int ac, char **av)
+ 	struct ssh *ssh = NULL;
+ 	int i, r, opt, exit_status, use_syslog, direct, timeout_ms;
+ 	int was_addr, config_test = 0, opt_terminated = 0, want_final_pass = 0;
++	int user_on_commandline = 0, user_was_default = 0, user_expanded = 0;
+ 	char *p, *cp, *line, *argv0, *logfile, *host_arg;
+ 	char cname[NI_MAXHOST], thishost[NI_MAXHOST];
+ 	struct stat st;
+@@ -995,8 +998,10 @@ main(int ac, char **av)
+ 			}
+ 			break;
+ 		case 'l':
+-			if (options.user == NULL)
++			if (options.user == NULL) {
+ 				options.user = optarg;
++				user_on_commandline = 1;
++			}
+ 			break;
+ 
+ 		case 'L':
+@@ -1099,6 +1104,7 @@ main(int ac, char **av)
+ 			if (options.user == NULL) {
+ 				options.user = tuser;
+ 				tuser = NULL;
++				user_on_commandline = 1;
+ 			}
+ 			free(tuser);
+ 			if (options.port == -1 && tport != -1)
+@@ -1113,6 +1119,7 @@ main(int ac, char **av)
+ 				if (options.user == NULL) {
+ 					options.user = p;
+ 					p = NULL;
++					user_on_commandline = 1;
+ 				}
+ 				*cp++ = '\0';
+ 				host = xstrdup(cp);
+@@ -1265,8 +1272,10 @@ main(int ac, char **av)
+ 	if (fill_default_options(&options) != 0)
+ 		cleanup_exit(255);
+ 
+-	if (options.user == NULL)
++	if (options.user == NULL) {
++		user_was_default = 1;
+ 		options.user = xstrdup(pw->pw_name);
++	}
+ 
+ 	/*
+ 	 * If ProxyJump option specified, then construct a ProxyCommand now.
+-- 
+2.50.1
+

meta/recipes-connectivity/openssh/openssh/CVE-2025-61985.patch

@@ -0,0 +1,35 @@
+From 54928cb9eaa7143ff17f463efa7ed3109afdbf30 Mon Sep 17 00:00:00 2001
+From: "djm@openbsd.org" <djm@openbsd.org>
+Date: Thu, 4 Sep 2025 00:30:06 +0000
+Subject: [PATCH] upstream: don't allow \0 characters in url-encoded strings.
+ Suggested by David Leadbeater, ok deraadt@
+
+OpenBSD-Commit-ID: c92196cef0f970ceabc1e8007a80b01e9b7cd49c
+
+CVE: CVE-2025-61985
+
+Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/43b3bff47bb029f2299bacb6a36057981b39fdb0]
+
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ misc.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/misc.c b/misc.c
+index 6135b15..3d133b5 100644
+--- a/misc.c
++++ b/misc.c
+@@ -934,9 +934,10 @@ urldecode(const char *src)
+			*dst++ = ' ';
+			break;
+		case '%':
++			/* note: don't allow \0 characters */
+			if (!isxdigit((unsigned char)src[1]) ||
+			    !isxdigit((unsigned char)src[2]) ||
+-			    (ch = hexchar(src + 1)) == -1) {
++			    (ch = hexchar(src + 1)) == -1 || ch == 0) {
+				free(ret);
+				return NULL;
+			}
+--
+2.40.0

meta/recipes-connectivity/openssh/openssh_8.9p1.bb

@@ -38,6 +38,9 @@ SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar
            file://CVE-2023-51385.patch \
            file://CVE-2024-6387.patch \
            file://CVE-2025-26465.patch \
+           file://CVE-2025-32728.patch \
+           file://CVE-2025-61985.patch \
+           file://CVE-2025-61984.patch \
            "
 SRC_URI[sha256sum] = "fd497654b7ab1686dac672fb83dfb4ba4096e8b5ffcdaccd262380ae58bec5e7"
 

meta/recipes-connectivity/openssl/openssl/CVE-2023-50781-1.patch

@@ -0,0 +1,618 @@
+From 24734088e1034392de981151dfe57e3a379ada18 Mon Sep 17 00:00:00 2001
+From: Hubert Kario <hkario@redhat.com>
+Date: Tue, 15 Mar 2022 13:58:08 +0100
+Subject: [PATCH 1/3] rsa: add implicit rejection in PKCS#1 v1.5
+
+The RSA decryption as implemented before required very careful handling
+of both the exit code returned by OpenSSL and the potentially returned
+ciphertext. Looking at the recent security vulnerabilities
+(CVE-2020-25659 and CVE-2020-25657) it is unlikely that most users of
+OpenSSL do it correctly.
+
+Given that correct code requires side channel secure programming in
+application code, we can classify the existing RSA decryption methods
+as CWE-676, which in turn likely causes CWE-208 and CWE-385 in
+application code.
+
+To prevent that, we can use a technique called "implicit rejection".
+For that we generate a random message to be returned in case the
+padding check fails. We generate the message based on static secret
+data (the private exponent) and the provided ciphertext (so that the
+attacker cannot determine that the returned value is randomly generated
+instead of result of decryption and de-padding). We return it in case
+any part of padding check fails.
+
+The upshot of this approach is that then not only is the length of the
+returned message useless as the Bleichenbacher oracle, so are the
+actual bytes of the returned message. So application code doesn't have
+to perform any operations on the returned message in side-channel free
+way to remain secure against Bleichenbacher attacks.
+
+Note: this patch implements a specific algorithm, shared with Mozilla
+NSS, so that the attacker cannot use one library as an oracle against the
+other in heterogeneous environments.
+
+CVE: CVE-2023-50781
+
+Upstream-Status: Backport
+[https://github.com/openssl/openssl/commit/7fc67e0a33102aa47bbaa56533eeecb98c0450f7]
+
+Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
+Reviewed-by: Tim Hudson <tjh@openssl.org>
+Reviewed-by: Tomas Mraz <tomas@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/13817)
+
+Signed-off-by: Jiaying Song <jiaying.song.cn@windriver.com>
+---
+ crypto/rsa/rsa_ossl.c                     |  95 +++++++-
+ crypto/rsa/rsa_pk1.c                      | 252 ++++++++++++++++++++++
+ doc/man1/openssl-pkeyutl.pod.in           |   5 +
+ doc/man1/openssl-rsautl.pod.in            |   5 +
+ doc/man3/EVP_PKEY_CTX_ctrl.pod            |   7 +
+ doc/man3/EVP_PKEY_decrypt.pod             |  12 ++
+ doc/man3/RSA_padding_add_PKCS1_type_1.pod |   7 +-
+ doc/man3/RSA_public_encrypt.pod           |  11 +-
+ include/crypto/rsa.h                      |   4 +
+ 9 files changed, 393 insertions(+), 5 deletions(-)
+
+diff --git a/crypto/rsa/rsa_ossl.c b/crypto/rsa/rsa_ossl.c
+index 0fc642e777..330302ae55 100644
+--- a/crypto/rsa/rsa_ossl.c
++++ b/crypto/rsa/rsa_ossl.c
+@@ -17,6 +17,9 @@
+ #include "crypto/bn.h"
+ #include "rsa_local.h"
+ #include "internal/constant_time.h"
++#include <openssl/evp.h>
++#include <openssl/sha.h>
++#include <openssl/hmac.h>
+ 
+ static int rsa_ossl_public_encrypt(int flen, const unsigned char *from,
+                                   unsigned char *to, RSA *rsa, int padding);
+@@ -377,8 +380,13 @@ static int rsa_ossl_private_decrypt(int flen, const unsigned char *from,
+     BIGNUM *f, *ret;
+     int j, num = 0, r = -1;
+     unsigned char *buf = NULL;
++    unsigned char d_hash[SHA256_DIGEST_LENGTH] = {0};
++    HMAC_CTX *hmac = NULL;
++    unsigned int md_len = SHA256_DIGEST_LENGTH;
++    unsigned char kdk[SHA256_DIGEST_LENGTH] = {0};
+     BN_CTX *ctx = NULL;
+     int local_blinding = 0;
++    EVP_MD *md = NULL;
+     /*
+      * Used only if the blinding structure is shared. A non-NULL unblind
+      * instructs rsa_blinding_convert() and rsa_blinding_invert() to store
+@@ -408,6 +416,11 @@ static int rsa_ossl_private_decrypt(int flen, const unsigned char *from,
+         goto err;
+     }
+ 
++    if (flen < 1) {
++        ERR_raise(ERR_LIB_RSA, RSA_R_DATA_TOO_SMALL);
++        goto err;
++    }
++
+     /* make data into a big number */
+     if (BN_bin2bn(from, (int)flen, f) == NULL)
+         goto err;
+@@ -472,13 +485,91 @@ static int rsa_ossl_private_decrypt(int flen, const unsigned char *from,
+         if (!rsa_blinding_invert(blinding, ret, unblind, ctx))
+             goto err;
+ 
++    /*
++     * derive the Key Derivation Key from private exponent and public
++     * ciphertext
++     */
++    if (!(rsa->flags & RSA_FLAG_EXT_PKEY)) {
++        /*
++         * because we use d as a handle to rsa->d we need to keep it local and
++         * free before any further use of rsa->d
++         */
++        BIGNUM *d = BN_new();
++        if (d == NULL) {
++            ERR_raise(ERR_LIB_RSA, ERR_R_MALLOC_FAILURE);
++            goto err;
++        }
++        if (rsa->d == NULL) {
++            ERR_raise(ERR_LIB_RSA, RSA_R_MISSING_PRIVATE_KEY);
++            BN_free(d);
++            goto err;
++        }
++        BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
++        if (BN_bn2binpad(d, buf, num) < 0) {
++            ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR);
++            BN_free(d);
++            goto err;
++        }
++        BN_free(d);
++
++        /*
++         * we use hardcoded hash so that migrating between versions that use
++         * different hash doesn't provide a Bleichenbacher oracle:
++         * if the attacker can see that different versions return different
++         * messages for the same ciphertext, they'll know that the message is
++         * syntethically generated, which means that the padding check failed
++         */
++        md = EVP_MD_fetch(rsa->libctx, "sha256", NULL);
++        if (md == NULL) {
++            ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR);
++            goto err;
++        }
++
++        if (EVP_Digest(buf, num, d_hash, NULL, md, NULL) <= 0) {
++            ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR);
++            goto err;
++        }
++
++        hmac = HMAC_CTX_new();
++        if (hmac == NULL) {
++            ERR_raise(ERR_LIB_RSA, ERR_R_MALLOC_FAILURE);
++            goto err;
++        }
++
++        if (HMAC_Init_ex(hmac, d_hash, sizeof(d_hash), md, NULL) <= 0) {
++            ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR);
++            goto err;
++        }
++
++        if (flen < num) {
++            memset(buf, 0, num - flen);
++            if (HMAC_Update(hmac, buf, num - flen) <= 0) {
++                ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR);
++                goto err;
++            }
++        }
++        if (HMAC_Update(hmac, from, flen) <= 0) {
++            ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR);
++            goto err;
++        }
++
++        md_len = SHA256_DIGEST_LENGTH;
++        if (HMAC_Final(hmac, kdk, &md_len) <= 0) {
++            ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR);
++            goto err;
++        }
++    }
++
+     j = BN_bn2binpad(ret, buf, num);
+     if (j < 0)
+         goto err;
+ 
+     switch (padding) {
+     case RSA_PKCS1_PADDING:
+-        r = RSA_padding_check_PKCS1_type_2(to, num, buf, j, num);
++        if (rsa->flags & RSA_FLAG_EXT_PKEY)
++            r = RSA_padding_check_PKCS1_type_2(to, num, buf, j, num);
++        else
++            r = ossl_rsa_padding_check_PKCS1_type_2(rsa->libctx, to, num, buf, j, num, kdk);
+         break;
+     case RSA_PKCS1_OAEP_PADDING:
+         r = RSA_padding_check_PKCS1_OAEP(to, num, buf, j, num, NULL, 0);
+@@ -501,6 +592,8 @@ static int rsa_ossl_private_decrypt(int flen, const unsigned char *from,
+ #endif
+ 
+  err:
++    HMAC_CTX_free(hmac);
++    EVP_MD_free(md);
+     BN_CTX_end(ctx);
+     BN_CTX_free(ctx);
+     OPENSSL_clear_free(buf, num);
+diff --git a/crypto/rsa/rsa_pk1.c b/crypto/rsa/rsa_pk1.c
+index 51507fc030..5cd2b26879 100644
+--- a/crypto/rsa/rsa_pk1.c
++++ b/crypto/rsa/rsa_pk1.c
+@@ -21,10 +21,14 @@
+ #include <openssl/rand.h>
+ /* Just for the SSL_MAX_MASTER_KEY_LENGTH value */
+ #include <openssl/prov_ssl.h>
++#include <openssl/evp.h>
++#include <openssl/sha.h>
++#include <openssl/hmac.h>
+ #include "internal/cryptlib.h"
+ #include "crypto/rsa.h"
+ #include "rsa_local.h"
+ 
++
+ int RSA_padding_add_PKCS1_type_1(unsigned char *to, int tlen,
+                                  const unsigned char *from, int flen)
+ {
+@@ -273,6 +277,254 @@ int RSA_padding_check_PKCS1_type_2(unsigned char *to, int tlen,
+     return constant_time_select_int(good, mlen, -1);
+ }
+ 
++
++static int ossl_rsa_prf(OSSL_LIB_CTX *ctx,
++                        unsigned char *to, int tlen,
++                        const char *label, int llen,
++                        const unsigned char *kdk,
++                        uint16_t bitlen)
++{
++    int pos;
++    int ret = -1;
++    uint16_t iter = 0;
++    unsigned char be_iter[sizeof(iter)];
++    unsigned char be_bitlen[sizeof(bitlen)];
++    HMAC_CTX *hmac = NULL;
++    EVP_MD *md = NULL;
++    unsigned char hmac_out[SHA256_DIGEST_LENGTH];
++    unsigned int md_len;
++
++    if (tlen * 8 != bitlen) {
++        ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR);
++        return ret;
++    }
++
++    be_bitlen[0] = (bitlen >> 8) & 0xff;
++    be_bitlen[1] = bitlen & 0xff;
++
++    hmac = HMAC_CTX_new();
++    if (hmac == NULL) {
++        ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR);
++        goto err;
++    }
++
++    /*
++     * we use hardcoded hash so that migrating between versions that use
++     * different hash doesn't provide a Bleichenbacher oracle:
++     * if the attacker can see that different versions return different
++     * messages for the same ciphertext, they'll know that the message is
++     * syntethically generated, which means that the padding check failed
++     */
++    md = EVP_MD_fetch(ctx, "sha256", NULL);
++    if (md == NULL) {
++        ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR);
++        goto err;
++    }
++
++    if (HMAC_Init_ex(hmac, kdk, SHA256_DIGEST_LENGTH, md, NULL) <= 0) {
++        ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR);
++        goto err;
++    }
++
++    for (pos = 0; pos < tlen; pos += SHA256_DIGEST_LENGTH, iter++) {
++        if (HMAC_Init_ex(hmac, NULL, 0, NULL, NULL) <= 0) {
++            ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR);
++            goto err;
++        }
++
++        be_iter[0] = (iter >> 8) & 0xff;
++        be_iter[1] = iter & 0xff;
++
++        if (HMAC_Update(hmac, be_iter, sizeof(be_iter)) <= 0) {
++            ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR);
++            goto err;
++        }
++        if (HMAC_Update(hmac, (unsigned char *)label, llen) <= 0) {
++            ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR);
++            goto err;
++        }
++        if (HMAC_Update(hmac, be_bitlen, sizeof(be_bitlen)) <= 0) {
++            ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR);
++            goto err;
++        }
++
++        /*
++         * HMAC_Final requires the output buffer to fit the whole MAC
++         * value, so we need to use the intermediate buffer for the last
++         * unaligned block
++         */
++        md_len = SHA256_DIGEST_LENGTH;
++        if (pos + SHA256_DIGEST_LENGTH > tlen) {
++            if (HMAC_Final(hmac, hmac_out, &md_len) <= 0) {
++                ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR);
++                goto err;
++            }
++            memcpy(to + pos, hmac_out, tlen - pos);
++        } else {
++            if (HMAC_Final(hmac, to + pos, &md_len) <= 0) {
++                ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR);
++                goto err;
++            }
++        }
++    }
++
++    ret = 0;
++
++err:
++    HMAC_CTX_free(hmac);
++    EVP_MD_free(md);
++    return ret;
++}
++
++/*
++ * ossl_rsa_padding_check_PKCS1_type_2() checks and removes the PKCS#1 type 2
++ * padding from a decrypted RSA message. Unlike the
++ * RSA_padding_check_PKCS1_type_2() it will not return an error in case it
++ * detects a padding error, rather it will return a deterministically generated
++ * random message. In other words it will perform an implicit rejection
++ * of an invalid padding. This means that the returned value does not indicate
++ * if the padding of the encrypted message was correct or not, making
++ * side channel attacks like the ones described by Bleichenbacher impossible
++ * without access to the full decrypted value and a brute-force search of
++ * remaining padding bytes
++ */
++int ossl_rsa_padding_check_PKCS1_type_2(OSSL_LIB_CTX *ctx,
++                                        unsigned char *to, int tlen,
++                                        const unsigned char *from, int flen,
++                                        int num, unsigned char *kdk)
++{
++/*
++ * We need to generate a random length for the synthethic message, to avoid
++ * bias towards zero and avoid non-constant timeness of DIV, we prepare
++ * 128 values to check if they are not too large for the used key size,
++ * and use 0 in case none of them are small enough, as 2^-128 is a good enough
++ * safety margin
++ */
++#define MAX_LEN_GEN_TRIES 128
++    unsigned char *synthetic = NULL;
++    int synthethic_length;
++    uint16_t len_candidate;
++    unsigned char candidate_lengths[MAX_LEN_GEN_TRIES * sizeof(len_candidate)];
++    uint16_t len_mask;
++    uint16_t max_sep_offset;
++    int synth_msg_index = 0;
++    int ret = -1;
++    int i, j;
++    unsigned int good, found_zero_byte;
++    int zero_index = 0, msg_index;
++
++    /*
++     * If these checks fail then either the message in publicly invalid, or
++     * we've been called incorrectly. We can fail immediately.
++     * Since this code is called only internally by openssl, those are just
++     * sanity checks
++     */
++    if (num != flen || tlen <= 0 || flen <= 0) {
++        ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR);
++        return -1;
++    }
++
++    /* Generate a random message to return in case the padding checks fail */
++    synthetic = OPENSSL_malloc(flen);
++    if (synthetic == NULL) {
++        ERR_raise(ERR_LIB_RSA, ERR_R_MALLOC_FAILURE);
++        return -1;
++    }
++
++    if (ossl_rsa_prf(ctx, synthetic, flen, "message", 7, kdk, flen * 8) < 0)
++        goto err;
++
++    /* decide how long the random message should be */
++    if (ossl_rsa_prf(ctx, candidate_lengths, sizeof(candidate_lengths),
++                     "length", 6, kdk,
++                     MAX_LEN_GEN_TRIES * sizeof(len_candidate) * 8) < 0)
++        goto err;
++
++    /*
++     * max message size is the size of the modulus size less 2 bytes for
++     * version and padding type and a minimum of 8 bytes padding
++     */
++    len_mask = max_sep_offset = flen - 2 - 8;
++    /*
++     * we want a mask so lets propagate the high bit to all positions less
++     * significant than it
++     */
++    len_mask |= len_mask >> 1;
++    len_mask |= len_mask >> 2;
++    len_mask |= len_mask >> 4;
++    len_mask |= len_mask >> 8;
++
++    synthethic_length = 0;
++    for (i = 0; i < MAX_LEN_GEN_TRIES * (int)sizeof(len_candidate);
++            i += sizeof(len_candidate)) {
++        len_candidate = (candidate_lengths[i] << 8) | candidate_lengths[i + 1];
++        len_candidate &= len_mask;
++
++        synthethic_length = constant_time_select_int(
++            constant_time_lt(len_candidate, max_sep_offset),
++            len_candidate, synthethic_length);
++    }
++
++    synth_msg_index = flen - synthethic_length;
++
++    /* we have alternative message ready, check the real one */
++    good = constant_time_is_zero(from[0]);
++    good &= constant_time_eq(from[1], 2);
++
++    /* then look for the padding|message separator (the first zero byte) */
++    found_zero_byte = 0;
++    for (i = 2; i < flen; i++) {
++        unsigned int equals0 = constant_time_is_zero(from[i]);
++        zero_index = constant_time_select_int(~found_zero_byte & equals0,
++                                              i, zero_index);
++        found_zero_byte |= equals0;
++    }
++
++    /*
++     * padding must be at least 8 bytes long, and it starts two bytes into
++     * |from|. If we never found a 0-byte, then |zero_index| is 0 and the check
++     * also fails.
++     */
++    good &= constant_time_ge(zero_index, 2 + 8);
++
++    /*
++     * Skip the zero byte. This is incorrect if we never found a zero-byte
++     * but in this case we also do not copy the message out.
++     */
++    msg_index = zero_index + 1;
++
++    /*
++     * old code returned an error in case the decrypted message wouldn't fit
++     * into the |to|, since that would leak information, return the synthethic
++     * message instead
++     */
++    good &= constant_time_ge(tlen, num - msg_index);
++
++    msg_index = constant_time_select_int(good, msg_index, synth_msg_index);
++
++    /*
++     * since at this point the |msg_index| does not provide the signal
++     * indicating if the padding check failed or not, we don't have to worry
++     * about leaking the length of returned message, we still need to ensure
++     * that we read contents of both buffers so that cache accesses don't leak
++     * the value of |good|
++     */
++    for (i = msg_index, j = 0; i < flen && j < tlen; i++, j++)
++        to[j] = constant_time_select_8(good, from[i], synthetic[i]);
++    ret = j;
++
++err:
++    /*
++     * the only time ret < 0 is when the ciphertext is publicly invalid
++     * or we were called with invalid parameters, so we don't have to perform
++     * a side-channel secure raising of the error
++     */
++    if (ret < 0)
++        ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR);
++    OPENSSL_free(synthetic);
++    return ret;
++}
++
+ /*
+  * ossl_rsa_padding_check_PKCS1_type_2_TLS() checks and removes the PKCS1 type 2
+  * padding from a decrypted RSA message in a TLS signature. The result is stored
+diff --git a/doc/man1/openssl-pkeyutl.pod.in b/doc/man1/openssl-pkeyutl.pod.in
+index 2f6ef0021d..015265a74d 100644
+--- a/doc/man1/openssl-pkeyutl.pod.in
++++ b/doc/man1/openssl-pkeyutl.pod.in
+@@ -273,6 +273,11 @@ signed or verified directly instead of using a B<DigestInfo> structure. If a
+ digest is set, then the B<DigestInfo> structure is used and its length
+ must correspond to the digest type.
+ 
++Note, for B<pkcs1> padding, as a protection against Bleichenbacher attack,
++the decryption will not fail in case of padding check failures. Use B<none>
++and manual inspection of the decrypted message to verify if the decrypted
++value has correct PKCS#1 v1.5 padding.
++
+ For B<oaep> mode only encryption and decryption is supported.
+ 
+ For B<x931> if the digest type is set it is used to format the block data
+diff --git a/doc/man1/openssl-rsautl.pod.in b/doc/man1/openssl-rsautl.pod.in
+index 0a32fd965b..4c462abc8c 100644
+--- a/doc/man1/openssl-rsautl.pod.in
++++ b/doc/man1/openssl-rsautl.pod.in
+@@ -105,6 +105,11 @@ The padding to use: PKCS#1 v1.5 (the default), PKCS#1 OAEP,
+ ANSI X9.31, or no padding, respectively.
+ For signatures, only B<-pkcs> and B<-raw> can be used.
+ 
++Note: because of protection against Bleichenbacher attacks, decryption
++using PKCS#1 v1.5 mode will not return errors in case padding check failed.
++Use B<-raw> and inspect the returned value manually to check if the
++padding is correct.
++
+ =item B<-hexdump>
+ 
+ Hex dump the output data.
+diff --git a/doc/man3/EVP_PKEY_CTX_ctrl.pod b/doc/man3/EVP_PKEY_CTX_ctrl.pod
+index 3075eaafd6..e788f38809 100644
+--- a/doc/man3/EVP_PKEY_CTX_ctrl.pod
++++ b/doc/man3/EVP_PKEY_CTX_ctrl.pod
+@@ -386,6 +386,13 @@ this behaviour should be tolerated then
+ OSSL_ASYM_CIPHER_PARAM_TLS_NEGOTIATED_VERSION should be set to the actual
+ negotiated protocol version. Otherwise it should be left unset.
+ 
++Similarly to the B<RSA_PKCS1_WITH_TLS_PADDING> above, since OpenSSL version
++3.1.0, the use of B<RSA_PKCS1_PADDING> will return a randomly generated message
++instead of padding errors in case padding checks fail. Applications that
++want to remain secure while using earlier versions of OpenSSL, still need to
++handle both the error code from the RSA decryption operation and the
++returned message in a side channel secure manner.
++
+ =head2 DSA parameters
+ 
+ EVP_PKEY_CTX_set_dsa_paramgen_bits() sets the number of bits used for DSA
+diff --git a/doc/man3/EVP_PKEY_decrypt.pod b/doc/man3/EVP_PKEY_decrypt.pod
+index b6f9bad5f1..898535a7a2 100644
+--- a/doc/man3/EVP_PKEY_decrypt.pod
++++ b/doc/man3/EVP_PKEY_decrypt.pod
+@@ -51,6 +51,18 @@ return 1 for success and 0 or a negative value for failure. In particular a
+ return value of -2 indicates the operation is not supported by the public key
+ algorithm.
+ 
++=head1 WARNINGS
++
++In OpenSSL versions before 3.1.0, when used in PKCS#1 v1.5 padding,
++both the return value from the EVP_PKEY_decrypt() and the B<outlen> provided
++information useful in mounting a Bleichenbacher attack against the
++used private key. They had to processed in a side-channel free way.
++
++Since version 3.1.0, the EVP_PKEY_decrypt() method when used with PKCS#1
++v1.5 padding doesn't return an error in case it detects an error in padding,
++instead it returns a pseudo-randomly generated message, removing the need
++of side-channel secure code from applications using OpenSSL.
++
+ =head1 EXAMPLES
+ 
+ Decrypt data using OAEP (for RSA keys):
+diff --git a/doc/man3/RSA_padding_add_PKCS1_type_1.pod b/doc/man3/RSA_padding_add_PKCS1_type_1.pod
+index 9f7025c497..36ae18563f 100644
+--- a/doc/man3/RSA_padding_add_PKCS1_type_1.pod
++++ b/doc/man3/RSA_padding_add_PKCS1_type_1.pod
+@@ -121,8 +121,8 @@ L<ERR_get_error(3)>.
+ 
+ =head1 WARNINGS
+ 
+-The result of RSA_padding_check_PKCS1_type_2() is a very sensitive
+-information which can potentially be used to mount a Bleichenbacher
++The result of RSA_padding_check_PKCS1_type_2() is exactly the
++information which is used to mount a classical Bleichenbacher
+ padding oracle attack. This is an inherent weakness in the PKCS #1
+ v1.5 padding design. Prefer PKCS1_OAEP padding. If that is not
+ possible, the result of RSA_padding_check_PKCS1_type_2() should be
+@@ -137,6 +137,9 @@ as this would create a small timing side channel which could be
+ used to mount a Bleichenbacher attack against any padding mode
+ including PKCS1_OAEP.
+ 
++You should prefer the use of EVP PKEY APIs for PKCS#1 v1.5 decryption
++as they implement the necessary workarounds internally.
++
+ =head1 SEE ALSO
+ 
+ L<RSA_public_encrypt(3)>,
+diff --git a/doc/man3/RSA_public_encrypt.pod b/doc/man3/RSA_public_encrypt.pod
+index 1d38073aea..bd3f835ac6 100644
+--- a/doc/man3/RSA_public_encrypt.pod
++++ b/doc/man3/RSA_public_encrypt.pod
+@@ -52,8 +52,8 @@ Encrypting user data directly with RSA is insecure.
+ 
+ =back
+ 
+-B<flen> must not be more than RSA_size(B<rsa>) - 11 for the PKCS #1 v1.5
+-based padding modes, not more than RSA_size(B<rsa>) - 42 for
++When encrypting B<flen> must not be more than RSA_size(B<rsa>) - 11 for the
++PKCS #1 v1.5 based padding modes, not more than RSA_size(B<rsa>) - 42 for
+ RSA_PKCS1_OAEP_PADDING and exactly RSA_size(B<rsa>) for RSA_NO_PADDING.
+ When a padding mode other than RSA_NO_PADDING is in use, then
+ RSA_public_encrypt() will include some random bytes into the ciphertext
+@@ -92,6 +92,13 @@ which can potentially be used to mount a Bleichenbacher padding oracle
+ attack. This is an inherent weakness in the PKCS #1 v1.5 padding
+ design. Prefer RSA_PKCS1_OAEP_PADDING.
+ 
++In OpenSSL before version 3.1.0, both the return value and the length of
++returned value could be used to mount the Bleichenbacher attack.
++Since version 3.1.0, OpenSSL does not return an error in case of padding
++checks failed. Instead it generates a random message based on used private
++key and provided ciphertext so that application code doesn't have to implement
++a side-channel secure error handling.
++
+ =head1 CONFORMING TO
+ 
+ SSL, PKCS #1 v2.0
+diff --git a/include/crypto/rsa.h b/include/crypto/rsa.h
+index 949873d0ee..f267e5d9d1 100644
+--- a/include/crypto/rsa.h
++++ b/include/crypto/rsa.h
+@@ -83,6 +83,10 @@ int ossl_rsa_param_decode(RSA *rsa, const X509_ALGOR *alg);
+ RSA *ossl_rsa_key_from_pkcs8(const PKCS8_PRIV_KEY_INFO *p8inf,
+                              OSSL_LIB_CTX *libctx, const char *propq);
+ 
++int ossl_rsa_padding_check_PKCS1_type_2(OSSL_LIB_CTX *ctx,
++                                        unsigned char *to, int tlen,
++                                        const unsigned char *from, int flen,
++                                        int num, unsigned char *kdk);
+ int ossl_rsa_padding_check_PKCS1_type_2_TLS(OSSL_LIB_CTX *ctx, unsigned char *to,
+                                             size_t tlen,
+                                             const unsigned char *from,
+-- 
+2.34.1
+

meta/recipes-connectivity/openssl/openssl/CVE-2023-50781-2.patch

@@ -0,0 +1,358 @@
+From e92f0cd3b03e5aca948b03df7e3d02e536700f68 Mon Sep 17 00:00:00 2001
+From: Hubert Kario <hkario@redhat.com>
+Date: Thu, 27 Oct 2022 19:16:58 +0200
+Subject: [PATCH 2/3] rsa: Add option to disable implicit rejection
+
+CVE: CVE-2023-50781
+
+Upstream-Status: Backport
+[https://github.com/openssl/openssl/commit/5ab3ec1bb1eaa795d775f5896818cfaa84d33a1a]
+
+Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
+Reviewed-by: Tim Hudson <tjh@openssl.org>
+Reviewed-by: Tomas Mraz <tomas@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/13817)
+
+Signed-off-by: Jiaying Song <jiaying.song.cn@windriver.com>
+---
+ crypto/cms/cms_env.c                          |  7 +++++
+ crypto/evp/ctrl_params_translate.c            |  6 +++++
+ crypto/rsa/rsa_ossl.c                         | 16 ++++++++----
+ crypto/rsa/rsa_pmeth.c                        | 20 +++++++++++++-
+ doc/man1/openssl-pkeyutl.pod.in               | 10 +++++++
+ doc/man3/EVP_PKEY_CTX_ctrl.pod                |  2 ++
+ doc/man7/provider-asym_cipher.pod             |  9 +++++++
+ include/openssl/core_names.h                  |  2 ++
+ include/openssl/rsa.h                         |  5 ++++
+ .../implementations/asymciphers/rsa_enc.c     | 26 +++++++++++++++++--
+ 10 files changed, 95 insertions(+), 8 deletions(-)
+
+diff --git a/crypto/cms/cms_env.c b/crypto/cms/cms_env.c
+index 445a16fb77..49b0289114 100644
+--- a/crypto/cms/cms_env.c
++++ b/crypto/cms/cms_env.c
+@@ -581,6 +581,13 @@ static int cms_RecipientInfo_ktri_decrypt(CMS_ContentInfo *cms,
+     if (!ossl_cms_env_asn1_ctrl(ri, 1))
+         goto err;
+ 
++    if (EVP_PKEY_is_a(pkey, "RSA"))
++        /* upper layer CMS code incorrectly assumes that a successful RSA
++         * decryption means that the key matches ciphertext (which never
++         * was the case, implicit rejection or not), so to make it work
++         * disable implicit rejection for RSA keys */
++        EVP_PKEY_CTX_ctrl_str(ktri->pctx, "rsa_pkcs1_implicit_rejection", "0");
++
+     if (EVP_PKEY_decrypt(ktri->pctx, NULL, &eklen,
+                          ktri->encryptedKey->data,
+                          ktri->encryptedKey->length) <= 0)
+diff --git a/crypto/evp/ctrl_params_translate.c b/crypto/evp/ctrl_params_translate.c
+index 44d0895bcf..db7325439a 100644
+--- a/crypto/evp/ctrl_params_translate.c
++++ b/crypto/evp/ctrl_params_translate.c
+@@ -2269,6 +2269,12 @@ static const struct translation_st evp_pkey_ctx_translations[] = {
+       EVP_PKEY_CTRL_GET_RSA_OAEP_LABEL, NULL, NULL,
+       OSSL_ASYM_CIPHER_PARAM_OAEP_LABEL, OSSL_PARAM_OCTET_PTR, NULL },
+ 
++    { SET, EVP_PKEY_RSA, 0, EVP_PKEY_OP_TYPE_CRYPT,
++      EVP_PKEY_CTRL_RSA_IMPLICIT_REJECTION, NULL,
++      "rsa_pkcs1_implicit_rejection",
++      OSSL_ASYM_CIPHER_PARAM_IMPLICIT_REJECTION, OSSL_PARAM_UNSIGNED_INTEGER,
++      NULL },
++
+     { SET, EVP_PKEY_RSA_PSS, 0, EVP_PKEY_OP_TYPE_GEN,
+       EVP_PKEY_CTRL_MD, "rsa_pss_keygen_md", NULL,
+       OSSL_ALG_PARAM_DIGEST, OSSL_PARAM_UTF8_STRING, fix_md },
+diff --git a/crypto/rsa/rsa_ossl.c b/crypto/rsa/rsa_ossl.c
+index 330302ae55..4bdacd5ed9 100644
+--- a/crypto/rsa/rsa_ossl.c
++++ b/crypto/rsa/rsa_ossl.c
+@@ -395,6 +395,12 @@ static int rsa_ossl_private_decrypt(int flen, const unsigned char *from,
+     BIGNUM *unblind = NULL;
+     BN_BLINDING *blinding = NULL;
+ 
++    /*
++     * we need the value of the private exponent to perform implicit rejection
++     */
++    if ((rsa->flags & RSA_FLAG_EXT_PKEY) && (padding == RSA_PKCS1_PADDING))
++        padding = RSA_PKCS1_NO_IMPLICIT_REJECT_PADDING;
++
+     if ((ctx = BN_CTX_new_ex(rsa->libctx)) == NULL)
+         goto err;
+     BN_CTX_start(ctx);
+@@ -489,7 +495,7 @@ static int rsa_ossl_private_decrypt(int flen, const unsigned char *from,
+      * derive the Key Derivation Key from private exponent and public
+      * ciphertext
+      */
+-    if (!(rsa->flags & RSA_FLAG_EXT_PKEY)) {
++    if (padding == RSA_PKCS1_PADDING) {
+         /*
+          * because we use d as a handle to rsa->d we need to keep it local and
+          * free before any further use of rsa->d
+@@ -565,11 +571,11 @@ static int rsa_ossl_private_decrypt(int flen, const unsigned char *from,
+         goto err;
+ 
+     switch (padding) {
++    case RSA_PKCS1_NO_IMPLICIT_REJECT_PADDING:
++        r = RSA_padding_check_PKCS1_type_2(to, num, buf, j, num);
++        break;
+     case RSA_PKCS1_PADDING:
+-        if (rsa->flags & RSA_FLAG_EXT_PKEY)
+-            r = RSA_padding_check_PKCS1_type_2(to, num, buf, j, num);
+-        else
+-            r = ossl_rsa_padding_check_PKCS1_type_2(rsa->libctx, to, num, buf, j, num, kdk);
++        r = ossl_rsa_padding_check_PKCS1_type_2(rsa->libctx, to, num, buf, j, num, kdk);
+         break;
+     case RSA_PKCS1_OAEP_PADDING:
+         r = RSA_padding_check_PKCS1_OAEP(to, num, buf, j, num, NULL, 0);
+diff --git a/crypto/rsa/rsa_pmeth.c b/crypto/rsa/rsa_pmeth.c
+index 0bf5ac098a..81b031f81b 100644
+--- a/crypto/rsa/rsa_pmeth.c
++++ b/crypto/rsa/rsa_pmeth.c
+@@ -52,6 +52,8 @@ typedef struct {
+     /* OAEP label */
+     unsigned char *oaep_label;
+     size_t oaep_labellen;
++    /* if to use implicit rejection in PKCS#1 v1.5 decryption */
++    int implicit_rejection;
+ } RSA_PKEY_CTX;
+ 
+ /* True if PSS parameters are restricted */
+@@ -72,6 +74,7 @@ static int pkey_rsa_init(EVP_PKEY_CTX *ctx)
+     /* Maximum for sign, auto for verify */
+     rctx->saltlen = RSA_PSS_SALTLEN_AUTO;
+     rctx->min_saltlen = -1;
++    rctx->implicit_rejection = 1;
+     ctx->data = rctx;
+     ctx->keygen_info = rctx->gentmp;
+     ctx->keygen_info_count = 2;
+@@ -97,6 +100,7 @@ static int pkey_rsa_copy(EVP_PKEY_CTX *dst, const EVP_PKEY_CTX *src)
+     dctx->md = sctx->md;
+     dctx->mgf1md = sctx->mgf1md;
+     dctx->saltlen = sctx->saltlen;
++    dctx->implicit_rejection = sctx->implicit_rejection;
+     if (sctx->oaep_label) {
+         OPENSSL_free(dctx->oaep_label);
+         dctx->oaep_label = OPENSSL_memdup(sctx->oaep_label, sctx->oaep_labellen);
+@@ -347,6 +351,7 @@ static int pkey_rsa_decrypt(EVP_PKEY_CTX *ctx,
+                             const unsigned char *in, size_t inlen)
+ {
+     int ret;
++    int pad_mode;
+     RSA_PKEY_CTX *rctx = ctx->data;
+     /*
+      * Discard const. Its marked as const because this may be a cached copy of
+@@ -367,7 +372,12 @@ static int pkey_rsa_decrypt(EVP_PKEY_CTX *ctx,
+                                                 rctx->oaep_labellen,
+                                                 rctx->md, rctx->mgf1md);
+     } else {
+-        ret = RSA_private_decrypt(inlen, in, out, rsa, rctx->pad_mode);
++        if (rctx->pad_mode == RSA_PKCS1_PADDING &&
++              rctx->implicit_rejection == 0)
++            pad_mode = RSA_PKCS1_NO_IMPLICIT_REJECT_PADDING;
++        else
++            pad_mode = rctx->pad_mode;
++        ret = RSA_private_decrypt(inlen, in, out, rsa, pad_mode);
+     }
+     *outlen = constant_time_select_s(constant_time_msb_s(ret), *outlen, ret);
+     ret = constant_time_select_int(constant_time_msb(ret), ret, 1);
+@@ -591,6 +601,14 @@ static int pkey_rsa_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2)
+         *(unsigned char **)p2 = rctx->oaep_label;
+         return rctx->oaep_labellen;
+ 
++    case EVP_PKEY_CTRL_RSA_IMPLICIT_REJECTION:
++        if (rctx->pad_mode != RSA_PKCS1_PADDING) {
++            ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_PADDING_MODE);
++            return -2;
++        }
++        rctx->implicit_rejection = p1;
++        return 1;
++
+     case EVP_PKEY_CTRL_DIGESTINIT:
+     case EVP_PKEY_CTRL_PKCS7_SIGN:
+ #ifndef OPENSSL_NO_CMS
+diff --git a/doc/man1/openssl-pkeyutl.pod.in b/doc/man1/openssl-pkeyutl.pod.in
+index 015265a74d..5e62551d34 100644
+--- a/doc/man1/openssl-pkeyutl.pod.in
++++ b/doc/man1/openssl-pkeyutl.pod.in
+@@ -305,6 +305,16 @@ explicitly set in PSS mode then the signing digest is used.
+ Sets the digest used for the OAEP hash function. If not explicitly set then
+ SHA1 is used.
+ 
++=item B<rsa_pkcs1_implicit_rejection:>I<flag>
++
++Disables (when set to 0) or enables (when set to 1) the use of implicit
++rejection with PKCS#1 v1.5 decryption. When enabled (the default), as a
++protection against Bleichenbacher attack, the library will generate a
++deterministic random plaintext that it will return to the caller in case
++of padding check failure.
++When disabled, it's the callers' responsibility to handle the returned
++errors in a side-channel free manner.
++
+ =back
+ 
+ =head1 RSA-PSS ALGORITHM
+diff --git a/doc/man3/EVP_PKEY_CTX_ctrl.pod b/doc/man3/EVP_PKEY_CTX_ctrl.pod
+index e788f38809..3844aa2199 100644
+--- a/doc/man3/EVP_PKEY_CTX_ctrl.pod
++++ b/doc/man3/EVP_PKEY_CTX_ctrl.pod
+@@ -392,6 +392,8 @@ instead of padding errors in case padding checks fail. Applications that
+ want to remain secure while using earlier versions of OpenSSL, still need to
+ handle both the error code from the RSA decryption operation and the
+ returned message in a side channel secure manner.
++This protection against Bleichenbacher attacks can be disabled by setting
++the OSSL_ASYM_CIPHER_PARAM_IMPLICIT_REJECTION (an unsigned integer) to 0.
+ 
+ =head2 DSA parameters
+ 
+diff --git a/doc/man7/provider-asym_cipher.pod b/doc/man7/provider-asym_cipher.pod
+index 0976a263a8..2a8426a6ed 100644
+--- a/doc/man7/provider-asym_cipher.pod
++++ b/doc/man7/provider-asym_cipher.pod
+@@ -234,6 +234,15 @@ The TLS protocol version first requested by the client.
+ 
+ The negotiated TLS protocol version.
+ 
++=item "implicit-rejection" (B<OSSL_PKEY_PARAM_IMPLICIT_REJECTION>) <unsigned integer>
++
++Gets of sets the use of the implicit rejection mechanism for RSA PKCS#1 v1.5
++decryption. When set (non zero value), the decryption API will return
++a deterministically random value if the PKCS#1 v1.5 padding check fails.
++This makes explotation of the Bleichenbacher significantly harder, even
++if the code using the RSA decryption API is not implemented in side-channel
++free manner. Set by default.
++
+ =back
+ 
+ OSSL_FUNC_asym_cipher_gettable_ctx_params() and OSSL_FUNC_asym_cipher_settable_ctx_params()
+diff --git a/include/openssl/core_names.h b/include/openssl/core_names.h
+index 6bed5a8a67..5a350b537f 100644
+--- a/include/openssl/core_names.h
++++ b/include/openssl/core_names.h
+@@ -292,6 +292,7 @@ extern "C" {
+ #define OSSL_PKEY_PARAM_DIST_ID             "distid"
+ #define OSSL_PKEY_PARAM_PUB_KEY             "pub"
+ #define OSSL_PKEY_PARAM_PRIV_KEY            "priv"
++#define OSSL_PKEY_PARAM_IMPLICIT_REJECTION  "implicit-rejection"
+ 
+ /* Diffie-Hellman/DSA Parameters */
+ #define OSSL_PKEY_PARAM_FFC_P               "p"
+@@ -467,6 +468,7 @@ extern "C" {
+ #define OSSL_ASYM_CIPHER_PARAM_OAEP_LABEL               "oaep-label"
+ #define OSSL_ASYM_CIPHER_PARAM_TLS_CLIENT_VERSION       "tls-client-version"
+ #define OSSL_ASYM_CIPHER_PARAM_TLS_NEGOTIATED_VERSION   "tls-negotiated-version"
++#define OSSL_ASYM_CIPHER_PARAM_IMPLICIT_REJECTION       "implicit-rejection"
+ 
+ /*
+  * Encoder / decoder parameters
+diff --git a/include/openssl/rsa.h b/include/openssl/rsa.h
+index a55c9727c6..247f9014e3 100644
+--- a/include/openssl/rsa.h
++++ b/include/openssl/rsa.h
+@@ -183,6 +183,8 @@ int EVP_PKEY_CTX_get0_rsa_oaep_label(EVP_PKEY_CTX *ctx, unsigned char **label);
+ 
+ # define EVP_PKEY_CTRL_RSA_KEYGEN_PRIMES  (EVP_PKEY_ALG_CTRL + 13)
+ 
++# define EVP_PKEY_CTRL_RSA_IMPLICIT_REJECTION (EVP_PKEY_ALG_CTRL + 14)
++
+ # define RSA_PKCS1_PADDING          1
+ # define RSA_NO_PADDING             3
+ # define RSA_PKCS1_OAEP_PADDING     4
+@@ -192,6 +194,9 @@ int EVP_PKEY_CTX_get0_rsa_oaep_label(EVP_PKEY_CTX *ctx, unsigned char **label);
+ # define RSA_PKCS1_PSS_PADDING      6
+ # define RSA_PKCS1_WITH_TLS_PADDING 7
+ 
++/* internal RSA_ only */
++# define RSA_PKCS1_NO_IMPLICIT_REJECT_PADDING 8
++
+ # define RSA_PKCS1_PADDING_SIZE    11
+ 
+ # define RSA_set_app_data(s,arg)         RSA_set_ex_data(s,0,arg)
+diff --git a/providers/implementations/asymciphers/rsa_enc.c b/providers/implementations/asymciphers/rsa_enc.c
+index c8921acd6e..11a91e62b1 100644
+--- a/providers/implementations/asymciphers/rsa_enc.c
++++ b/providers/implementations/asymciphers/rsa_enc.c
+@@ -75,6 +75,8 @@ typedef struct {
+     /* TLS padding */
+     unsigned int client_version;
+     unsigned int alt_version;
++    /* PKCS#1 v1.5 decryption mode */
++    unsigned int implicit_rejection;
+ } PROV_RSA_CTX;
+ 
+ static void *rsa_newctx(void *provctx)
+@@ -107,6 +109,7 @@ static int rsa_init(void *vprsactx, void *vrsa, const OSSL_PARAM params[],
+     RSA_free(prsactx->rsa);
+     prsactx->rsa = vrsa;
+     prsactx->operation = operation;
++    prsactx->implicit_rejection = 1;
+ 
+     switch (RSA_test_flags(prsactx->rsa, RSA_FLAG_TYPE_MASK)) {
+     case RSA_FLAG_TYPE_RSA:
+@@ -199,6 +202,7 @@ static int rsa_decrypt(void *vprsactx, unsigned char *out, size_t *outlen,
+ {
+     PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx;
+     int ret;
++    int pad_mode;
+     size_t len = RSA_size(prsactx->rsa);
+ 
+     if (!ossl_prov_is_running())
+@@ -276,8 +280,12 @@ static int rsa_decrypt(void *vprsactx, unsigned char *out, size_t *outlen,
+         }
+         OPENSSL_free(tbuf);
+     } else {
+-        ret = RSA_private_decrypt(inlen, in, out, prsactx->rsa,
+-                                  prsactx->pad_mode);
++        if ((prsactx->implicit_rejection == 0) &&
++                (prsactx->pad_mode == RSA_PKCS1_PADDING))
++            pad_mode = RSA_PKCS1_NO_IMPLICIT_REJECT_PADDING;
++        else
++            pad_mode = prsactx->pad_mode;
++        ret = RSA_private_decrypt(inlen, in, out, prsactx->rsa, pad_mode);
+     }
+     *outlen = constant_time_select_s(constant_time_msb_s(ret), *outlen, ret);
+     ret = constant_time_select_int(constant_time_msb(ret), 0, 1);
+@@ -401,6 +409,10 @@ static int rsa_get_ctx_params(void *vprsactx, OSSL_PARAM *params)
+     if (p != NULL && !OSSL_PARAM_set_uint(p, prsactx->alt_version))
+         return 0;
+ 
++    p = OSSL_PARAM_locate(params, OSSL_ASYM_CIPHER_PARAM_IMPLICIT_REJECTION);
++    if (p != NULL && !OSSL_PARAM_set_uint(p, prsactx->implicit_rejection))
++        return 0;
++
+     return 1;
+ }
+ 
+@@ -412,6 +424,7 @@ static const OSSL_PARAM known_gettable_ctx_params[] = {
+                     NULL, 0),
+     OSSL_PARAM_uint(OSSL_ASYM_CIPHER_PARAM_TLS_CLIENT_VERSION, NULL),
+     OSSL_PARAM_uint(OSSL_ASYM_CIPHER_PARAM_TLS_NEGOTIATED_VERSION, NULL),
++    OSSL_PARAM_uint(OSSL_ASYM_CIPHER_PARAM_IMPLICIT_REJECTION, NULL),
+     OSSL_PARAM_END
+ };
+ 
+@@ -549,6 +562,14 @@ static int rsa_set_ctx_params(void *vprsactx, const OSSL_PARAM params[])
+             return 0;
+         prsactx->alt_version = alt_version;
+     }
++    p = OSSL_PARAM_locate_const(params, OSSL_ASYM_CIPHER_PARAM_IMPLICIT_REJECTION);
++    if (p != NULL) {
++        unsigned int implicit_rejection;
++
++        if (!OSSL_PARAM_get_uint(p, &implicit_rejection))
++            return 0;
++        prsactx->implicit_rejection = implicit_rejection;
++    }
+ 
+     return 1;
+ }
+@@ -562,6 +583,7 @@ static const OSSL_PARAM known_settable_ctx_params[] = {
+     OSSL_PARAM_octet_string(OSSL_ASYM_CIPHER_PARAM_OAEP_LABEL, NULL, 0),
+     OSSL_PARAM_uint(OSSL_ASYM_CIPHER_PARAM_TLS_CLIENT_VERSION, NULL),
+     OSSL_PARAM_uint(OSSL_ASYM_CIPHER_PARAM_TLS_NEGOTIATED_VERSION, NULL),
++    OSSL_PARAM_uint(OSSL_ASYM_CIPHER_PARAM_IMPLICIT_REJECTION, NULL),
+     OSSL_PARAM_END
+ };
+ 
+-- 
+2.34.1
+

meta/recipes-connectivity/openssl/openssl/CVE-2023-50781-3.patch

@@ -0,0 +1,41 @@
+From ba78f7b0599ba5bfb5032dd2664465c5b13388e3 Mon Sep 17 00:00:00 2001
+From: Hubert Kario <hkario@redhat.com>
+Date: Tue, 22 Nov 2022 18:25:49 +0100
+Subject: [PATCH 3/3] smime/pkcs7: disable the Bleichenbacher workaround
+
+CVE: CVE-2023-50781
+
+Upstream-Status: Backport
+[https://github.com/openssl/openssl/commit/056dade341d2589975a3aae71f81c8d7061583c7]
+
+Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
+Reviewed-by: Tim Hudson <tjh@openssl.org>
+Reviewed-by: Tomas Mraz <tomas@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/13817)
+
+Signed-off-by: Jiaying Song <jiaying.song.cn@windriver.com>
+---
+ crypto/pkcs7/pk7_doit.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/crypto/pkcs7/pk7_doit.c b/crypto/pkcs7/pk7_doit.c
+index e9de097da1..6d3124da87 100644
+--- a/crypto/pkcs7/pk7_doit.c
++++ b/crypto/pkcs7/pk7_doit.c
+@@ -170,6 +170,13 @@ static int pkcs7_decrypt_rinfo(unsigned char **pek, int *peklen,
+     if (EVP_PKEY_decrypt_init(pctx) <= 0)
+         goto err;
+ 
++    if (EVP_PKEY_is_a(pkey, "RSA"))
++        /* upper layer pkcs7 code incorrectly assumes that a successful RSA
++         * decryption means that the key matches ciphertext (which never
++         * was the case, implicit rejection or not), so to make it work
++         * disable implicit rejection for RSA keys */
++        EVP_PKEY_CTX_ctrl_str(pctx, "rsa_pkcs1_implicit_rejection", "0");
++
+     if (EVP_PKEY_decrypt(pctx, NULL, &eklen,
+                          ri->enc_key->data, ri->enc_key->length) <= 0)
+         goto err;
+-- 
+2.34.1
+