<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux/poky.git/meta/lib/oe, branch scarthgap</title>
<subtitle>Mirror of git.yoctoproject.org/poky</subtitle>
<id>https://git.enea.com/cgit/linux/poky.git/atom?h=scarthgap</id>
<link rel='self' href='https://git.enea.com/cgit/linux/poky.git/atom?h=scarthgap'/>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/'/>
<updated>2026-05-04T12:57:30+00:00</updated>
<entry>
<title>spdx30_tasks: fix condition in create_spdx</title>
<updated>2026-05-04T12:57:30+00:00</updated>
<author>
<name>João Marcos Costa (Schneider Electric)</name>
<email>joaomarcos.costa@bootlin.com</email>
</author>
<published>2026-04-02T09:34:44+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=1f07faf3dce25bfcaf2c5c8f6652934baeed4db3'/>
<id>urn:sha1:1f07faf3dce25bfcaf2c5c8f6652934baeed4db3</id>
<content type='text'>
Considering that *detail* is an actual variable, not a string, remove the
quotes to make the 'in' statement coherent.

(From OE-Core rev: 8071a93c6b619dc9fcc2a7f1bcf94994499defbe)

Signed-off-by: João Marcos Costa (Schneider Electric) &lt;joaomarcos.costa@bootlin.com&gt;
Reviewed-by: Joshua Watt &lt;JPEWhacker@gmail.com&gt;
Signed-off-by: Yoann Congal &lt;yoann.congal@smile.fr&gt;
Signed-off-by: Paul Barker &lt;paul@pbarker.dev&gt;
</content>
</entry>
<entry>
<title>spdx: add option to include only compiled sources</title>
<updated>2026-04-02T12:41:54+00:00</updated>
<author>
<name>João Marcos Costa (Schneider Electric)</name>
<email>joaomarcos.costa@bootlin.com</email>
</author>
<published>2026-03-23T09:22:56+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=8cde17408f644e99b37496121d8f0171375ae0e7'/>
<id>urn:sha1:8cde17408f644e99b37496121d8f0171375ae0e7</id>
<content type='text'>
When SPDX_INCLUDE_COMPILED_SOURCES is enabled, only include the
source code files that are used during compilation.

It uses debugsource information generated during do_package.

This enables an external tool to use the SPDX information to disregard
vulnerabilities that are not compiled.

As example, when used with the default config with linux-yocto, the spdx size is
reduced from 156MB to 61MB.

(From OE-Core rev: c6a2f1fca76fae4c3ea471a0c63d0b453beea968)
Adapted to existing files for SPDX3.0

Tested with:
- bitbake world on oe-core
- oe-selftest --run-tests spdx.SPDX30Check

Regarding SPDX2.2, the respective backport was already performed in
OE-Core rev: a2866934e58fb377a73e87576c8594988a63ad1b

(From OE-Core rev: 1c7dfab26d69a87bb026e05b3bbf6a266858c0d1)

Signed-off-by: João Marcos Costa (Schneider Electric) &lt;joaomarcos.costa@bootlin.com&gt;
Signed-off-by: Yoann Congal &lt;yoann.congal@smile.fr&gt;
Signed-off-by: Paul Barker &lt;paul@pbarker.dev&gt;
</content>
</entry>
<entry>
<title>lsb.py: strip ' from os-release file</title>
<updated>2026-03-25T17:34:13+00:00</updated>
<author>
<name>Martin Jansa</name>
<email>martin.jansa@gmail.com</email>
</author>
<published>2026-01-20T14:41:09+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=eedd0439ba07094be3f72e5e60234586a1143858'/>
<id>urn:sha1:eedd0439ba07094be3f72e5e60234586a1143858</id>
<content type='text'>
In gentoo the file looks like this:

NAME='Gentoo'
ID='gentoo'
PRETTY_NAME='Gentoo Linux'
VERSION='2.18'
VERSION_ID='2.18'
HOME_URL='https://www.gentoo.org/'
SUPPORT_URL='https://www.gentoo.org/support/'
BUG_REPORT_URL='https://bugs.gentoo.org/'
ANSI_COLOR='1;32'

' were added with:
https://github.com/gentoo/gentoo/commit/2f590e35c9d3d13d5673163527120b2de97fdc80

before that the os-release file looked like this:

NAME=Gentoo
ID=gentoo
PRETTY_NAME="Gentoo Linux"
ANSI_COLOR="1;32"
HOME_URL="https://www.gentoo.org/"
SUPPORT_URL="https://www.gentoo.org/support/"
BUG_REPORT_URL="https://bugs.gentoo.org/"
VERSION_ID="2.18"

The ' is stripped from the ID later in distro_identifier with:
    # Filter out any non-alphanumerics and convert to lowercase
    distro_id = re.sub(r'\W', '', distro_id).lower()
but not from version which results in a weird NATIVELSBSTRING like:
    NATIVELSBSTRING      = "gentoo-'2.18'"

And similarly the directory name in sstate-cache:

oe-core $ ls -d sstate-cache/gentoo-*
"sstate-cache/gentoo-'2.18'"   sstate-cache/gentoo-2.18

(From OE-Core rev: 9906255a99f13bf6feefca11e8305364efce6450)

Signed-off-by: Martin Jansa &lt;martin.jansa@gmail.com&gt;
Signed-off-by: Antonin Godard &lt;antonin.godard@bootlin.com&gt;
Signed-off-by: Richard Purdie &lt;richard.purdie@linuxfoundation.org&gt;
(cherry picked from commit 55f82653deb1ea8f1304fcba4d588bd55695b616)
Signed-off-by: Yoann Congal &lt;yoann.congal@smile.fr&gt;
Signed-off-by: Paul Barker &lt;paul@pbarker.dev&gt;
</content>
</entry>
<entry>
<title>spdx30_tasks: Exclude 'doc' when exporting PACKAGECONFIG to SPDX</title>
<updated>2026-02-27T17:45:06+00:00</updated>
<author>
<name>Benjamin Robin (Schneider Electric)</name>
<email>benjamin.robin@bootlin.com</email>
</author>
<published>2026-02-09T16:25:52+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=c4da6ca1c2e5d3bdbc78b9e9779071eb50efda71'/>
<id>urn:sha1:c4da6ca1c2e5d3bdbc78b9e9779071eb50efda71</id>
<content type='text'>
Currently when generating an SBOM, all packages have the 'doc' feature
indicated as disabled. This is in fact *not* a feature that was
declared in the recipe, but instead the documentation of the
PACKAGECONFIG variable.

But to be safe, if somehow a feature is named 'doc' and enabled, do
not exclude it when exporting PACKAGECONFIG features to SPDX.

(From OE-Core rev: 87de87206b71bb165b946d5f4f6e9e5395292179)

Signed-off-by: Benjamin Robin (Schneider Electric) &lt;benjamin.robin@bootlin.com&gt;
Signed-off-by: Mathieu Dubois-Briand &lt;mathieu.dubois-briand@bootlin.com&gt;
Signed-off-by: Ross Burton &lt;ross.burton@arm.com&gt;
Signed-off-by: Richard Purdie &lt;richard.purdie@linuxfoundation.org&gt;
(cherry picked from commit 933394adcb0d2db66ef7e0656a464241e58ec2e7)
Signed-off-by: Yoann Congal &lt;yoann.congal@smile.fr&gt;
Signed-off-by: Paul Barker &lt;paul@pbarker.dev&gt;
Signed-off-by: Richard Purdie &lt;richard.purdie@linuxfoundation.org&gt;
</content>
</entry>
<entry>
<title>spdx30_tasks: Add support for exporting PACKAGECONFIG to SPDX</title>
<updated>2025-12-31T15:49:31+00:00</updated>
<author>
<name>Kamel Bouhara (Schneider Electric)</name>
<email>kamel.bouhara@bootlin.com</email>
</author>
<published>2025-12-15T15:54:23+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=707dce4f01527b23e775ec31282e94c3a74e71da'/>
<id>urn:sha1:707dce4f01527b23e775ec31282e94c3a74e71da</id>
<content type='text'>
Introduce the SPDX_INCLUDE_PACKAGECONFIG variable, which when enabled causes
PACKAGECONFIG features to be recorded in the SPDX document as build parameters.

Each feature is recorded as a DictionaryEntry with key PACKAGECONFIG:&lt;feature&gt;
and value enabled or disabled, depending on whether the feature is active in
the current build.

This makes the build-time configuration more transparent in SPDX output and
improves reproducibility tracking.

This makes the build-time configuration more transparent in SPDX output and
improves reproducibility tracking. In particular, it allows consumers of the
SBOM to identify enabled/disabled features that may affect security posture
or feature set.

Reviewed-by: Joshua Watt &lt;JPEWhacker@gmail.com&gt;
(From OE-Core rev: 5cfd0690f819379d9f97c86d2078c3e529efe385)

Signed-off-by: Kamel Bouhara (Schneider Electric) &lt;kamel.bouhara@bootlin.com&gt;
Signed-off-by: Mathieu Dubois-Briand &lt;mathieu.dubois-briand@bootlin.com&gt;
Signed-off-by: Richard Purdie &lt;richard.purdie@linuxfoundation.org&gt;
(cherry picked from commit 7ec61ac40345a5c0ef1ce20513a4596989c91ef4)
Signed-off-by: Steve Sakoman &lt;steve@sakoman.com&gt;
</content>
</entry>
<entry>
<title>Revert "lib/oe/go: document map_arch, and raise an error on unknown architecture"</title>
<updated>2025-12-17T16:48:38+00:00</updated>
<author>
<name>Peter Marko</name>
<email>peter.marko@siemens.com</email>
</author>
<published>2025-12-10T19:07:46+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=553530a8acce3b078473c0fa512246a3e84d46bf'/>
<id>urn:sha1:553530a8acce3b078473c0fa512246a3e84d46bf</id>
<content type='text'>
This reverts commit e6de433ccb2784581d6c775cce97f414ef9334b1.

This introduced a breaking change which is not suitable for backport to
stable LTS branches.

(From OE-Core rev: 2b3d2b671a149cbeea2bdc9ba42192da2015c3b7)

Signed-off-by: Peter Marko &lt;peter.marko@siemens.com&gt;
Signed-off-by: Peter Marko &lt;peter.marko@siemens.com&gt;
Signed-off-by: Steve Sakoman &lt;steve@sakoman.com&gt;
</content>
</entry>
<entry>
<title>cve-check: extract extending CVE_STATUS to library function</title>
<updated>2025-12-01T15:34:55+00:00</updated>
<author>
<name>Benjamin Robin (Schneider Electric)</name>
<email>benjamin.robin@bootlin.com</email>
</author>
<published>2025-11-21T09:54:11+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=d1f8b0c6ddb1adad4be4cb465463e13d12c81ecc'/>
<id>urn:sha1:d1f8b0c6ddb1adad4be4cb465463e13d12c81ecc</id>
<content type='text'>
The same code for extending CVE_STATUS by CVE_CHECK_IGNORE and
CVE_STATUS_GROUPS is used on multiple places.
Create a library function to have the code on single place and ready for
reuse by additional classes.

Conflicts:
  meta/classes/cve-check.bbclass
  meta/lib/oe/cve_check.py

(From OE-Core rev: ddd295c7d4c313fbbb24f7a5e633d4adfea4054a)

Signed-off-by: Peter Marko &lt;peter.marko@siemens.com&gt;
Signed-off-by: Richard Purdie &lt;richard.purdie@linuxfoundation.org&gt;
(cherry picked from commit 45e18f4270d084d81c21b1e5a4a601ce975d8a77)
Signed-off-by: Benjamin Robin (Schneider Electric) &lt;benjamin.robin@bootlin.com&gt;
Signed-off-by: Steve Sakoman &lt;steve@sakoman.com&gt;
</content>
</entry>
<entry>
<title>spdx30: provide all CVE_STATUS, not only Patched status</title>
<updated>2025-12-01T15:34:55+00:00</updated>
<author>
<name>Benjamin Robin (Schneider Electric)</name>
<email>benjamin.robin@bootlin.com</email>
</author>
<published>2025-11-21T09:54:09+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=976648aa6087a8bd815bf9b1e2bae3d1e8f3600b'/>
<id>urn:sha1:976648aa6087a8bd815bf9b1e2bae3d1e8f3600b</id>
<content type='text'>
In scarthgap, the `oe.cve_check.get_patched_cves()` method only returns
CVEs with a "Patched" status. We want to retrieve all annotations,
including those with an "Ignored" status. Therefore, to avoid modifying
the current API, we integrate the logic for retrieving all CVE_STATUS
values ​​directly into `spdx30_task`.

(From OE-Core rev: 9a204670b1c0daedf1ed8ff944f8e5443b39c8f7)

Signed-off-by: Benjamin Robin (Schneider Electric) &lt;benjamin.robin@bootlin.com&gt;
Signed-off-by: Steve Sakoman &lt;steve@sakoman.com&gt;
</content>
</entry>
<entry>
<title>Revert "spdx: Update for bitbake changes"</title>
<updated>2025-12-01T15:34:54+00:00</updated>
<author>
<name>Kai Kang</name>
<email>kai.kang@windriver.com</email>
</author>
<published>2025-11-24T13:55:06+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=91ba7b5d6613c8ea493c9eb7e592c30d5a0bf335'/>
<id>urn:sha1:91ba7b5d6613c8ea493c9eb7e592c30d5a0bf335</id>
<content type='text'>
This reverts part of commit 4859cdf97fd9a260036e148e25f0b78eb393df1e.

Modification of meta/classes/create-spdx-2.2.bbclass is not backported,
so no need to consider it.

In the commit, it updates spdx according to bitbake change. But the
bitbake commit

* 2515fbd10 fetch: Drop multiple branch/revision support for single git urls

doesn't backport for scarthgap.

So revert the other parts of the commit 4859cdf97fd9a260036e148e25f0b.

(From OE-Core rev: f3bfb98d1cf928678d9931308c116e9e6ec64ba5)

Signed-off-by: Kai Kang &lt;kai.kang@windriver.com&gt;
Signed-off-by: Steve Sakoman &lt;steve@sakoman.com&gt;
</content>
</entry>
<entry>
<title>lib/oe/go: document map_arch, and raise an error on unknown architecture</title>
<updated>2025-11-26T15:50:35+00:00</updated>
<author>
<name>Ross Burton</name>
<email>ross.burton@arm.com</email>
</author>
<published>2025-11-13T12:28:00+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=6707dcecb23666e96d9ab1dc568f58bf2cd35aad'/>
<id>urn:sha1:6707dcecb23666e96d9ab1dc568f58bf2cd35aad</id>
<content type='text'>
Add a comment explaining what this function does and where the values
come from.

If the architecture isn't know, instead of returning an empty string
which could fail mysteriously, raise a KeyError so it fails quickly.

(From OE-Core rev: 025414c16319b068df1cd757ad9a3c987a6b871d)

(From OE-Core rev: e6de433ccb2784581d6c775cce97f414ef9334b1)

Signed-off-by: Ross Burton &lt;ross.burton@arm.com&gt;
Signed-off-by: Richard Purdie &lt;richard.purdie@linuxfoundation.org&gt;
Signed-off-by: Peter Marko &lt;peter.marko@siemens.com&gt;
Signed-off-by: Steve Sakoman &lt;steve@sakoman.com&gt;
</content>
</entry>
</feed>
