<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux/poky.git/meta/classes, branch scarthgap</title>
<subtitle>Mirror of git.yoctoproject.org/poky</subtitle>
<id>https://git.enea.com/cgit/linux/poky.git/atom?h=scarthgap</id>
<link rel='self' href='https://git.enea.com/cgit/linux/poky.git/atom?h=scarthgap'/>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/'/>
<updated>2026-05-04T12:57:33+00:00</updated>
<entry>
<title>archiver: Don't try to preserve all attributes when copying files</title>
<updated>2026-05-04T12:57:33+00:00</updated>
<author>
<name>Richard Purdie</name>
<email>richard.purdie@linuxfoundation.org</email>
</author>
<published>2026-04-01T21:27:45+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=98ab055e735fad2d6d6c86f4c84fc3a824363fe1'/>
<id>urn:sha1:98ab055e735fad2d6d6c86f4c84fc3a824363fe1</id>
<content type='text'>
Similar to https://git.openembedded.org/bitbake/commit/?id=2f35dac0c821ab231459922ed98e1b2cc599ca9a
there is a problem in this code when copying from an NFS mount.

We currently use cp -p, which is a shortcut for --preserve=mode,ownership,timestamps.
We shouldn't need to preserve mode/ownership, only timestamps. Update the code
in the same way the bitbake fetcher was fixed for consistency.

This fixes build failures on OpenSUSE 16.0.

(From OE-Core rev: 6ffd2c303d23b51a0a11f56e2e89c5a19596d228)

Signed-off-by: Richard Purdie &lt;richard.purdie@linuxfoundation.org&gt;
(cherry picked from commit 6e8313688fa994c82e4c846993ed8da0d1f4db0e)
Signed-off-by: Yoann Congal &lt;yoann.congal@smile.fr&gt;
Signed-off-by: Paul Barker &lt;paul@pbarker.dev&gt;
</content>
</entry>
<entry>
<title>spdx: add option to include only compiled sources</title>
<updated>2026-04-02T12:41:54+00:00</updated>
<author>
<name>João Marcos Costa (Schneider Electric)</name>
<email>joaomarcos.costa@bootlin.com</email>
</author>
<published>2026-03-23T09:22:56+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=8cde17408f644e99b37496121d8f0171375ae0e7'/>
<id>urn:sha1:8cde17408f644e99b37496121d8f0171375ae0e7</id>
<content type='text'>
When SPDX_INCLUDE_COMPILED_SOURCES is enabled, only include the
source code files that are used during compilation.

It uses debugsource information generated during do_package.

This enables an external tool to use the SPDX information to disregard
vulnerabilities that are not compiled.

As example, when used with the default config with linux-yocto, the spdx size is
reduced from 156MB to 61MB.

(From OE-Core rev: c6a2f1fca76fae4c3ea471a0c63d0b453beea968)
Adapted to existing files for SPDX3.0

Tested with:
- bitbake world on oe-core
- oe-selftest --run-tests spdx.SPDX30Check

Regarding SPDX2.2, the respective backport was already performed in
OE-Core rev: a2866934e58fb377a73e87576c8594988a63ad1b

(From OE-Core rev: 1c7dfab26d69a87bb026e05b3bbf6a266858c0d1)

Signed-off-by: João Marcos Costa (Schneider Electric) &lt;joaomarcos.costa@bootlin.com&gt;
Signed-off-by: Yoann Congal &lt;yoann.congal@smile.fr&gt;
Signed-off-by: Paul Barker &lt;paul@pbarker.dev&gt;
</content>
</entry>
<entry>
<title>classes/buildhistory: Do not sign buildhistory commits</title>
<updated>2026-02-27T17:45:06+00:00</updated>
<author>
<name>Fabio Berton</name>
<email>fabio.berton@ctw.bmwgroup.com</email>
</author>
<published>2026-02-18T09:47:30+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=fa64e0279b1a5ff9af3a74efc36c14c8fc45f617'/>
<id>urn:sha1:fa64e0279b1a5ff9af3a74efc36c14c8fc45f617</id>
<content type='text'>
This change adds the --no-gpg-sign option to prevent buildhistory
commits from failing due to GPG signing issues. Depending on the setup,
buildhistory may fail to create a commit if the user has the
commit.gpgsign option enabled.

For example, if the user creates a signing key that requires a password,
the commit won't be created and will fail with the following error:

/
|error: Enter passphrase: Load key "/home/&lt;user&gt;/.ssh/id_ed25519":
|incorrect passphrase supplied to decrypt private key?
|fatal: failed to write commit object
\

The bitbake command won't fail, but buildhistory won't have a commit.
Also, the commit may silently fail when building inside a container due
to missing packages or issues with accessing the GPG agent.

This is similar to [1], and signing the buildhistory commit
should be avoided to prevent such issues.

1 - https://git.openembedded.org/openembedded-core/commit/?id=7595a0a63a933af9dd9d1e458dc34a4ba80d9eae

(From OE-Core rev: 667cd853a231f1fe884ba83ada2ad6cecb1c41cd)

Signed-off-by: Fabio Berton &lt;fabio.berton@ctw.bmwgroup.com&gt;
Signed-off-by: Mathieu Dubois-Briand &lt;mathieu.dubois-briand@bootlin.com&gt;
Signed-off-by: Ross Burton &lt;ross.burton@arm.com&gt;
Signed-off-by: Richard Purdie &lt;richard.purdie@linuxfoundation.org&gt;
(cherry picked from commit a5e18714aee52db898aaf9d222fb5a4168bde96e)
Signed-off-by: Yoann Congal &lt;yoann.congal@smile.fr&gt;
Signed-off-by: Paul Barker &lt;paul@pbarker.dev&gt;
Signed-off-by: Richard Purdie &lt;richard.purdie@linuxfoundation.org&gt;
</content>
</entry>
<entry>
<title>go-vendor: Fix absolute paths issue</title>
<updated>2026-02-27T17:45:06+00:00</updated>
<author>
<name>Richard Purdie</name>
<email>richard.purdie@linuxfoundation.org</email>
</author>
<published>2025-01-07T22:20:31+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=119ec1b846b0a380474c15dbafac6181a05120a6'/>
<id>urn:sha1:119ec1b846b0a380474c15dbafac6181a05120a6</id>
<content type='text'>
When building with the class, avoid errors like:

"sstate found an absolute path symlink /xxx/vendor pointing at
/xxx/import/vendor. Please replace this with a relative link."

Use relative symlinks instead.

(From OE-Core rev: 2ef214747b648733308958b5750c6c053ac49246)

Signed-off-by: Richard Purdie &lt;richard.purdie@linuxfoundation.org&gt;
Signed-off-by: Thomas Vandenabeele &lt;thomas@bootzero.one&gt;
(cherry picked from commit fc4f589cc7a8e5feba7940ccb244a74bd5f96371)
Signed-off-by: Yoann Congal &lt;yoann.congal@smile.fr&gt;
Signed-off-by: Paul Barker &lt;paul@pbarker.dev&gt;
Signed-off-by: Richard Purdie &lt;richard.purdie@linuxfoundation.org&gt;
</content>
</entry>
<entry>
<title>meta/classes: fix missing vardeps for CVE status variables</title>
<updated>2026-02-16T09:52:35+00:00</updated>
<author>
<name>Benjamin Robin (Schneider Electric)</name>
<email>benjamin.robin@bootlin.com</email>
</author>
<published>2026-01-19T08:44:50+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=9628ed0111ac50754e2926c6002f928f5e1e7415'/>
<id>urn:sha1:9628ed0111ac50754e2926c6002f928f5e1e7415</id>
<content type='text'>
Several CVE helper functions (get_patched_cves() and decode_cve_status())
implicitly depend on the CVE_STATUS and CVE_CHECK_STATUSMAP variables, but
these were not declared in the vardeps of their callers.

On Scarthgap, the upstream fix (2cc43c72ff28aa39a417dd8d57cd7c8741c0e541)
cannot be cherry-picked cleanly, as it also requires BitBake changes.

As a workaround, explicitly add CVE_STATUS and CVE_CHECK_STATUSMAP to the
vardeps of all tasks invoking these helpers, ensuring correct task
re-execution when CVE status changes.

This keeps CVE-related metadata generation consistent without requiring
BitBake modifications.

(From OE-Core rev: 111e1f2febade3c34649f33676f7f7e7cc8e0bd0)

Signed-off-by: Benjamin Robin (Schneider Electric) &lt;benjamin.robin@bootlin.com&gt;
Signed-off-by: Yoann Congal &lt;yoann.congal@smile.fr&gt;
Signed-off-by: Paul Barker &lt;paul@pbarker.dev&gt;
Signed-off-by: Richard Purdie &lt;richard.purdie@linuxfoundation.org&gt;
</content>
</entry>
<entry>
<title>spdx30_tasks: Add support for exporting PACKAGECONFIG to SPDX</title>
<updated>2025-12-31T15:49:31+00:00</updated>
<author>
<name>Kamel Bouhara (Schneider Electric)</name>
<email>kamel.bouhara@bootlin.com</email>
</author>
<published>2025-12-15T15:54:23+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=707dce4f01527b23e775ec31282e94c3a74e71da'/>
<id>urn:sha1:707dce4f01527b23e775ec31282e94c3a74e71da</id>
<content type='text'>
Introduce the SPDX_INCLUDE_PACKAGECONFIG variable, which when enabled causes
PACKAGECONFIG features to be recorded in the SPDX document as build parameters.

Each feature is recorded as a DictionaryEntry with key PACKAGECONFIG:&lt;feature&gt;
and value enabled or disabled, depending on whether the feature is active in
the current build.

This makes the build-time configuration more transparent in SPDX output and
improves reproducibility tracking.

This makes the build-time configuration more transparent in SPDX output and
improves reproducibility tracking. In particular, it allows consumers of the
SBOM to identify enabled/disabled features that may affect security posture
or feature set.

Reviewed-by: Joshua Watt &lt;JPEWhacker@gmail.com&gt;
(From OE-Core rev: 5cfd0690f819379d9f97c86d2078c3e529efe385)

Signed-off-by: Kamel Bouhara (Schneider Electric) &lt;kamel.bouhara@bootlin.com&gt;
Signed-off-by: Mathieu Dubois-Briand &lt;mathieu.dubois-briand@bootlin.com&gt;
Signed-off-by: Richard Purdie &lt;richard.purdie@linuxfoundation.org&gt;
(cherry picked from commit 7ec61ac40345a5c0ef1ce20513a4596989c91ef4)
Signed-off-by: Steve Sakoman &lt;steve@sakoman.com&gt;
</content>
</entry>
<entry>
<title>kernel.bbclass: Add task to export kernel configuration to SPDX</title>
<updated>2025-12-31T15:49:31+00:00</updated>
<author>
<name>Kamel Bouhara (Schneider Electric)</name>
<email>kamel.bouhara@bootlin.com</email>
</author>
<published>2025-12-15T15:54:22+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=6d222750d5c3254c200259a1ff6ac7c691a7cd7d'/>
<id>urn:sha1:6d222750d5c3254c200259a1ff6ac7c691a7cd7d</id>
<content type='text'>
Introduce a new bitbake task do_create_kernel_config_spdx that extracts
the kernel configuration from ${B}/.config and exports it into the
recipe's SPDX document as a separate build_Build object.

The kernel config parameters are stored as SPDX DictionaryEntry objects
and linked to the main kernel build using an ancestorOf relationship.

This enables the kernel build's configuration to be explicitly captured
in the SPDX document for compliance, auditing, and reproducibility.

The task is gated by SPDX_INCLUDE_KERNEL_CONFIG (default = "0").

Reviewed-by: Joshua Watt &lt;JPEWhacker@gmail.com&gt;
(From OE-Core rev: 1fff29a0428778929ffa530482ebf7db95f1e0ae)

Signed-off-by: Kamel Bouhara (Schneider Electric) &lt;kamel.bouhara@bootlin.com&gt;
Signed-off-by: Mathieu Dubois-Briand &lt;mathieu.dubois-briand@bootlin.com&gt;
Signed-off-by: Richard Purdie &lt;richard.purdie@linuxfoundation.org&gt;
(cherry picked from commit 228a968e7c47d811c06143279bdb0f9c5f374bef)
Signed-off-by: Steve Sakoman &lt;steve@sakoman.com&gt;
</content>
</entry>
<entry>
<title>classes/create-spdx-2.2: Define SPDX_VERSION to 2.2</title>
<updated>2025-12-17T16:48:37+00:00</updated>
<author>
<name>Daniel Turull</name>
<email>daniel.turull@ericsson.com</email>
</author>
<published>2025-12-05T14:51:09+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=8bddd959ff4c6bd9f0567ff8447828ebb69038cb'/>
<id>urn:sha1:8bddd959ff4c6bd9f0567ff8447828ebb69038cb</id>
<content type='text'>
SPDX_VERSION is used in DEPLOY_DIR_SPDX but if is not defined,
will default to SPDX-1.1

Define SPDX_VERSION to have the correct deploy path, to align
with master branch behaviour.

The change in path was introduced in 8996d0899d

CC: Kamel Bouhara (Schneider Electric) &lt;kamel.bouhara@bootlin.com&gt;
CC: JPEWhacker@gmail.com
(From OE-Core rev: 04cc49593a0ba2c51e4f4d477d4587079735b624)

Signed-off-by: Daniel Turull &lt;daniel.turull@ericsson.com&gt;
Signed-off-by: Steve Sakoman &lt;steve@sakoman.com&gt;
</content>
</entry>
<entry>
<title>vex: fix rootfs manifest</title>
<updated>2025-12-01T15:34:55+00:00</updated>
<author>
<name>Benjamin Robin (Schneider Electric)</name>
<email>benjamin.robin@bootlin.com</email>
</author>
<published>2025-11-21T09:54:13+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=35a6ffc2dbc9b307f763653d61074f708ee68848'/>
<id>urn:sha1:35a6ffc2dbc9b307f763653d61074f708ee68848</id>
<content type='text'>
Rootfs VEX file is created by gathering files from CVE_CHECK_DIR
(deploy directory), however recipes generate the files only in
CVE_CHECK_DIR (log directory).
This make the rootfs VEX be always empty without any message.

The code is copied from cve_check class, which writes to both, so let
keep them aligned and make also vex write both files.

Also add a warning for case that a cve file would be still missing.

(From OE-Core rev: 7493eeed6d53bc704f558a0ccf8a0b5195381873)

Signed-off-by: Peter Marko &lt;peter.marko@siemens.com&gt;
Signed-off-by: Mathieu Dubois-Briand &lt;mathieu.dubois-briand@bootlin.com&gt;
Signed-off-by: Richard Purdie &lt;richard.purdie@linuxfoundation.org&gt;
(cherry picked from commit ee6541d0940c65685aaafd7d41a59a9406392e7d)
Signed-off-by: Benjamin Robin (Schneider Electric) &lt;benjamin.robin@bootlin.com&gt;
Signed-off-by: Steve Sakoman &lt;steve@sakoman.com&gt;
</content>
</entry>
<entry>
<title>spdx: extend CVE_STATUS variables</title>
<updated>2025-12-01T15:34:55+00:00</updated>
<author>
<name>Benjamin Robin (Schneider Electric)</name>
<email>benjamin.robin@bootlin.com</email>
</author>
<published>2025-11-21T09:54:12+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=86f11fe94f607212f07add0145e754670fc6d125'/>
<id>urn:sha1:86f11fe94f607212f07add0145e754670fc6d125</id>
<content type='text'>
If spdx is generated without inheriting cve/vex classes (which is poky
default), only explicitly set CVE_STATUS fields are handled.
Calculated ones (e.g. from CVE_STATUS_GROUPS) are ignored.

Fix this by expanding the CVE_STATUS in spdx classes.

(From OE-Core rev: 23a4e02542252657fa45fd4a605aec0af9178e0b)

Signed-off-by: Peter Marko &lt;peter.marko@siemens.com&gt;
Signed-off-by: Richard Purdie &lt;richard.purdie@linuxfoundation.org&gt;
(cherry picked from commit ead9c6a8770463c21210a57cc5320f44f7754dd3)
Signed-off-by: Benjamin Robin (Schneider Electric) &lt;benjamin.robin@bootlin.com&gt;
Signed-off-by: Steve Sakoman &lt;steve@sakoman.com&gt;
</content>
</entry>
</feed>
