<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux/poky.git/meta/lib/oe, branch styhead-5.1.4</title>
<subtitle>Mirror of git.yoctoproject.org/poky</subtitle>
<id>https://git.enea.com/cgit/linux/poky.git/atom?h=styhead-5.1.4</id>
<link rel='self' href='https://git.enea.com/cgit/linux/poky.git/atom?h=styhead-5.1.4'/>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/'/>
<updated>2024-12-09T14:25:53+00:00</updated>
<entry>
<title>do_package/sstate/sstatesig: Change timestamp clamping to hash output only</title>
<updated>2024-12-09T14:25:53+00:00</updated>
<author>
<name>Richard Purdie</name>
<email>richard.purdie@linuxfoundation.org</email>
</author>
<published>2024-10-25T13:31:52+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=8c3866aa530c7531ef8b7109b9e10c32b0448f47'/>
<id>urn:sha1:8c3866aa530c7531ef8b7109b9e10c32b0448f47</id>
<content type='text'>
The code was changing the timestamps of the files in the do_package output,
particularly the files added for debug sources. This was to do two things:

a) make do_package sstate more reproducible
b) ensure better hash equivalence matching

Unfortuately the debug source files are hardlinks into the source tree for
efficiency so touching these, touches a lot of files in ${B} and ${S}. This
causes unpredictable effects if compile is run again for example, or could
cause compiling in the install task.

The hash equivalence matching is of key importance but we can mimic that
using clamping of the file timestamps in the depsig output used to generate
the hashes.

This patch drops the global timestamp clamping, instead allowing the files
to retain their creation timestamps into sstate. This makes do_package sstate
slightly less reproducibile. We could clamp the sstate timestamps but that
would lead to two different sets of timestamps depending on whether the
data came from sstate or not. I'd prefer to have consistent code behaviour,
rather than differing behavhour depending on whether data came from sstate
or not.

If we wanted to have reproducibiliy and fix the "corruption" of S/B and have
consistent codepaths, the only other option would be two copies of the
sources, which could end up huge and seems the least desireable option.

This patch therefore drops the timestamp clamping in the sstate files
and tweaks the depsig data generation to clamp the timestamps for do_package
instead since this seems the best compromise.

I validated that rpm/deb/ipk files still generate correctly as before.

(From OE-Core rev: 0e6b2c761f6d727fe21a0ce2803a0f0aef236f59)

Signed-off-by: Richard Purdie &lt;richard.purdie@linuxfoundation.org&gt;
(cherry picked from commit 475759fdab7200488b2a568b2ba1aa31a456d113)
Signed-off-by: Steve Sakoman &lt;steve@sakoman.com&gt;
</content>
</entry>
<entry>
<title>cve-check: fix malformed cve status description with : characters</title>
<updated>2024-11-30T13:41:59+00:00</updated>
<author>
<name>Peter Marko</name>
<email>peter.marko@siemens.com</email>
</author>
<published>2024-10-30T18:49:51+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=2b4c64dbef651adac2b371ea19fae4284f4ed1f7'/>
<id>urn:sha1:2b4c64dbef651adac2b371ea19fae4284f4ed1f7</id>
<content type='text'>
When CPE is not provided and character ":" is in cve status description,
current code takes only last part of split function.
This works only if there is no ":" in description, otherwise it drops
the other split parts.

Do a new split of the original string to take the whole description unchanged.
This fixes following entries from world build of poky+meta-oe+meta-python:

tiff-4.6.0-r0 do_cve_check: CVE_STATUS with 3 parts for CVE-2015-7313
CVE_STATUS:  fixed-version: Tested with check from https://security-tracker.debian.org/tracker/CVE-2015-7313 and already 4.3.0 doesn't have the issue
description: //security-tracker.debian.org/tracker/CVE-2015-7313 and already 4.3.0 doesn't have the issue
corrected:   Tested with check from https://security-tracker.debian.org/tracker/CVE-2015-7313 and already 4.3.0 doesn't have the issue

gnupg-2.5.0-r0 do_cve_check: CVE_STATUS with 3 parts for CVE-2022-3219
CVE_STATUS:  upstream-wontfix: Upstream doesn't seem to be keen on merging the proposed commit - https://dev.gnupg.org/T5993
description: //dev.gnupg.org/T5993
corrected:   Upstream doesn't seem to be keen on merging the proposed commit - https://dev.gnupg.org/T5993

libyaml-0.2.5-r0 do_cve_check: CVE_STATUS with 3 parts for CVE-2024-35325
CVE_STATUS:  upstream-wontfix: Upstream thinks this is a misuse (or wrong use) of the libyaml API - https://github.com/yaml/libyaml/issues/303
description: //github.com/yaml/libyaml/issues/303
corrected:   Upstream thinks this is a misuse (or wrong use) of the libyaml API - https://github.com/yaml/libyaml/issues/303

libyaml-0.2.5-r0 do_cve_check: CVE_STATUS with 3 parts for CVE-2024-35326
CVE_STATUS:  upstream-wontfix: Upstream thinks there is no working code that is exploitable - https://github.com/yaml/libyaml/issues/302
description: //github.com/yaml/libyaml/issues/302
corrected:   Upstream thinks there is no working code that is exploitable - https://github.com/yaml/libyaml/issues/302

libyaml-0.2.5-r0 do_cve_check: CVE_STATUS with 3 parts for CVE-2024-35328
CVE_STATUS:  upstream-wontfix: Upstream thinks there is no working code that is exploitable - https://github.com/yaml/libyaml/issues/302
description: //github.com/yaml/libyaml/issues/302
corrected:   Upstream thinks there is no working code that is exploitable - https://github.com/yaml/libyaml/issues/302

cpio-2.15-r0 do_cve_check: CVE_STATUS with 3 parts for CVE-2023-7216
CVE_STATUS:  disputed: intended behaviour, see https://lists.gnu.org/archive/html/bug-cpio/2024-03/msg00000.html
description: //lists.gnu.org/archive/html/bug-cpio/2024-03/msg00000.html
corrected:   intended behaviour, see https://lists.gnu.org/archive/html/bug-cpio/2024-03/msg00000.html

openssh-9.9p1-r0 do_cve_check: CVE_STATUS with 3 parts for CVE-2023-51767
CVE_STATUS:  upstream-wontfix: It was demonstrated on modified sshd and does not exist in upstream openssh https://bugzilla.mindrot.org/show_bug.cgi?id=3656#c1.
description: //bugzilla.mindrot.org/show_bug.cgi?id=3656#c1.
corrected:   It was demonstrated on modified sshd and does not exist in upstream openssh https://bugzilla.mindrot.org/show_bug.cgi?id=3656#c1.

cups-2.4.10-r0 do_cve_check: CVE_STATUS with 3 parts for CVE-2021-25317
CVE_STATUS:  not-applicable-config: This concerns /var/log/cups having lp ownership, our /var/log/cups is root:root, so this doesn't apply.
description: root, so this doesn't apply.
corrected:   This concerns /var/log/cups having lp ownership, our /var/log/cups is root:root, so this doesn't apply.

unzip-1_6.0-r0 do_cve_check: CVE_STATUS with 3 parts for CVE-2008-0888
CVE_STATUS:  fixed-version: Patch from https://bugzilla.redhat.com/attachment.cgi?id=293893&amp;action=diff applied to 6.0 source
description: //bugzilla.redhat.com/attachment.cgi?id=293893&amp;action=diff applied to 6.0 source
corrected:   Patch from https://bugzilla.redhat.com/attachment.cgi?id=293893&amp;action=diff applied to 6.0 source

syslog-ng-4.7.0-r0 do_cve_check: CVE_STATUS with 6 parts for CVE-2022-38725
CVE_STATUS:  cpe-incorrect: cve-check wrongly matches cpe:2.3:a:oneidentity:syslog-ng:*:*:*:*:premium:*:*:* &lt; 7.0.32
description: syslog-ng:*:*:*:*:premium:*:*:* &lt; 7.0.32
corrected:   cve-check wrongly matches cpe:2.3:a:oneidentity:syslog-ng:*:*:*:*:premium:*:*:* &lt; 7.0.32

(From OE-Core rev: 5cd34a34879ad424f3b1637b48892d6fa037861d)

Signed-off-by: Peter Marko &lt;peter.marko@siemens.com&gt;
Signed-off-by: Richard Purdie &lt;richard.purdie@linuxfoundation.org&gt;
(cherry picked from commit cc33dd9176726cb4b2d2f142ed1bc655da8e0a9f)
Signed-off-by: Steve Sakoman &lt;steve@sakoman.com&gt;
</content>
</entry>
<entry>
<title>cve-check: do not skip cve status description after :</title>
<updated>2024-11-30T13:41:59+00:00</updated>
<author>
<name>Peter Marko</name>
<email>peter.marko@siemens.com</email>
</author>
<published>2024-10-30T18:49:50+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=449107b22b3aab032ee7da05a47ff76b8c6e3398'/>
<id>urn:sha1:449107b22b3aab032ee7da05a47ff76b8c6e3398</id>
<content type='text'>
Correct maxsplit parameter from 5 to 4 to not drop text if
description contains ":".

Example:
&gt;&gt;&gt; "detail: cpe:vendor:product:description:cont".split(':', 5)
['detail', ' cpe', 'vendor', 'product', 'description', 'xxx']
&gt;&gt;&gt; "detail: cpe:vendor:product:description:cont".split(':', 4)
['detail', ' cpe', 'vendor', 'product', 'description:xxx']

(From OE-Core rev: 4921605aab4c9588e5c96de3afe08e9d35f51145)

Signed-off-by: Peter Marko &lt;peter.marko@siemens.com&gt;
Signed-off-by: Richard Purdie &lt;richard.purdie@linuxfoundation.org&gt;
(cherry picked from commit 3c4d8ca41ac0b429af92bf0ea84f1dfd0cda9e1f)
Signed-off-by: Steve Sakoman &lt;steve@sakoman.com&gt;
</content>
</entry>
<entry>
<title>lib/oe/package-manager: skip processing installed-pkgs with empty globs</title>
<updated>2024-11-26T13:37:09+00:00</updated>
<author>
<name>Claus Stovgaard</name>
<email>claus.stovgaard@gmail.com</email>
</author>
<published>2024-10-07T20:39:46+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=28bf1ab6759606a1bfc7526e02eda466173d0cd7'/>
<id>urn:sha1:28bf1ab6759606a1bfc7526e02eda466173d0cd7</id>
<content type='text'>
We can skip processing the installed-pkgs file if globs is empty.
This is the case if self.d.getVar for IMAGE_INSTALL_COMPLEMENTARY
returns an empty string. If globs is an empty string the result from
processing with empty glob in oe-pkgdata-util will always be 0 packages
to install.

Instead of return early on this we just skip and still generate the
locale archive if needed.

(From OE-Core rev: be4dbec9e79b51b9b72670291ba02c4f6d3258dd)

Signed-off-by: Claus Stovgaard &lt;claus.stovgaard@gmail.com&gt;
Signed-off-by: Richard Purdie &lt;richard.purdie@linuxfoundation.org&gt;
(cherry picked from commit 160c45c83d5addf01e4834cf896af871bd6fca7f)
Signed-off-by: Steve Sakoman &lt;steve@sakoman.com&gt;
</content>
</entry>
<entry>
<title>image.bbclass: Drop support for ImageQAFailed exceptions in image_qa</title>
<updated>2024-10-29T12:51:03+00:00</updated>
<author>
<name>Peter Kjellerstedt</name>
<email>pkj@axis.com</email>
</author>
<published>2024-09-26T12:25:06+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=0c02f87d310895c79b5042efe5ade100581abb41'/>
<id>urn:sha1:0c02f87d310895c79b5042efe5ade100581abb41</id>
<content type='text'>
After commit 905e224849fbbed1719e0add231b00e2d570b3b4 (image_qa: fix
error handling), any unexpected exceptions in do_image_qa() would result
in a variable being set, but never used, effectively hiding the error.

Since image_qa now calls oe.qa.exit_if_errors(), remove the support for
oe.utils.ImageQAFailed and instead rely on the called functions to call
oe.qa.handle_error() themselves. This matches what do_package_qa() does.

Also update the description of do_image_qa() to explain that the called
functions are expected to call oe.qa.handle_error() themselves.

[ YOCTO #15601 ]

(From OE-Core rev: c00ad42b6a26ceb7a2878ed2c7f6c2821fe513cc)

Signed-off-by: Peter Kjellerstedt &lt;peter.kjellerstedt@axis.com&gt;
Signed-off-by: Richard Purdie &lt;richard.purdie@linuxfoundation.org&gt;
(cherry picked from commit 0c3e111c965af2bc56533633c376b70b7fa5e1de)
Signed-off-by: Steve Sakoman &lt;steve@sakoman.com&gt;
</content>
</entry>
<entry>
<title>image_qa: fix error handling</title>
<updated>2024-09-17T11:16:01+00:00</updated>
<author>
<name>Louis Rannou</name>
<email>louis.rannou@non.se.com</email>
</author>
<published>2024-09-13T12:25:52+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=48a898fdfbb85e35edd4342321d7be0393624934'/>
<id>urn:sha1:48a898fdfbb85e35edd4342321d7be0393624934</id>
<content type='text'>
Make ImageQAFailed inherit BBHandledException so exceptions raised in tests are
catched when the actual test function is executed by bb.utils.better_exec.

Change the do_image_qa tasks so errors are handled with oe.qa.handle_error. Add
some comment to explain this requires to list the test in ERROR_QA or WARN_QA.

[YOCTO #14807]
https://bugzilla.yoctoproject.org/show_bug.cgi?id=14807

(From OE-Core rev: 905e224849fbbed1719e0add231b00e2d570b3b4)

Signed-off-by: Louis Rannou &lt;louis.rannou@non.se.com&gt;
Signed-off-by: Richard Purdie &lt;richard.purdie@linuxfoundation.org&gt;
</content>
</entry>
<entry>
<title>spdx30_tasks.py: fix typo in call of is_file method</title>
<updated>2024-09-13T06:15:49+00:00</updated>
<author>
<name>Daniil Batalov</name>
<email>daniil.batalov.123@gmail.com</email>
</author>
<published>2024-09-12T10:03:09+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=18fce365a5f302ec3bb3e85f72a57762fe706884'/>
<id>urn:sha1:18fce365a5f302ec3bb3e85f72a57762fe706884</id>
<content type='text'>
Method is_file() was wrongly called as isfile()

(From OE-Core rev: 356c52a45db139bf1fdfcf5b6e0903ece7d1dd46)

Signed-off-by: Daniil Batalov &lt;dbatalov@deltard.ru&gt;
Signed-off-by: Richard Purdie &lt;richard.purdie@linuxfoundation.org&gt;
</content>
</entry>
<entry>
<title>lib/oe/sbom30.py: Fix build parameters</title>
<updated>2024-09-04T11:38:44+00:00</updated>
<author>
<name>Joshua Watt</name>
<email>JPEWhacker@gmail.com</email>
</author>
<published>2024-09-03T15:42:24+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=b182a015b08c9f74f517e30a8f1856ce06566fcd'/>
<id>urn:sha1:b182a015b08c9f74f517e30a8f1856ce06566fcd</id>
<content type='text'>
The property to specify the build parameters is `build_parameters` not
just `parameters`

(From OE-Core rev: 61afc6322c9b8664de4f32b629c6e6ade775aeba)

Signed-off-by: Joshua Watt &lt;JPEWhacker@gmail.com&gt;
Signed-off-by: Richard Purdie &lt;richard.purdie@linuxfoundation.org&gt;
</content>
</entry>
<entry>
<title>lib/spdx30_tasks: Report all missing providers</title>
<updated>2024-09-04T11:38:44+00:00</updated>
<author>
<name>Joshua Watt</name>
<email>JPEWhacker@gmail.com</email>
</author>
<published>2024-09-03T15:42:01+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=819ee3eff3018633009aaf8e26cfaad774c4d3d3'/>
<id>urn:sha1:819ee3eff3018633009aaf8e26cfaad774c4d3d3</id>
<content type='text'>
Instead of failing on the first missing provider, collect all of them
and report them all as it is more convenient for end users trying to fix
problems

(From OE-Core rev: fc96244f424c8b4fbace39dc4af8a4e97f1a104e)

Signed-off-by: Joshua Watt &lt;JPEWhacker@gmail.com&gt;
Signed-off-by: Richard Purdie &lt;richard.purdie@linuxfoundation.org&gt;
</content>
</entry>
<entry>
<title>buildcfg.py: add dirty status to get_metadata_git_describe</title>
<updated>2024-09-01T10:05:20+00:00</updated>
<author>
<name>Jörg Sommer</name>
<email>joerg.sommer@navimatix.de</email>
</author>
<published>2024-08-30T11:41:00+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=8f9eaecb3e6c60d517ba9a163980315aaa3fecbc'/>
<id>urn:sha1:8f9eaecb3e6c60d517ba9a163980315aaa3fecbc</id>
<content type='text'>
For postmortem analysis it's helpful to know if the build environment was
clean or contained any modifications.

(From OE-Core rev: edaaa2ad311663beabd2416037de00d82fca5fba)

Signed-off-by: Jörg Sommer &lt;joerg.sommer@navimatix.de&gt;
Signed-off-by: Richard Purdie &lt;richard.purdie@linuxfoundation.org&gt;
</content>
</entry>
</feed>
