<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux/poky.git/meta/lib/oe, branch yocto-5.0.14</title>
<subtitle>Mirror of git.yoctoproject.org/poky</subtitle>
<id>https://git.enea.com/cgit/linux/poky.git/atom?h=yocto-5.0.14</id>
<link rel='self' href='https://git.enea.com/cgit/linux/poky.git/atom?h=yocto-5.0.14'/>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/'/>
<updated>2025-11-14T14:45:30+00:00</updated>
<entry>
<title>spdx30_tasks: adapt CVE handling to new cve-check API</title>
<updated>2025-11-14T14:45:30+00:00</updated>
<author>
<name>Kamel Bouhara (Schneider Electric)</name>
<email>kamel.bouhara@bootlin.com</email>
</author>
<published>2025-11-07T13:14:49+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=5b74a8f1a54d62d2cf2330bef6ffad3508540a91'/>
<id>urn:sha1:5b74a8f1a54d62d2cf2330bef6ffad3508540a91</id>
<content type='text'>
Changes to cve-check (see poky commit fb3f440b7d8,
"cve-check: annotate CVEs during analysis") modified the
get_patched_cves() API to return a set of CVE IDs instead of a
dictionary of CVE metadata.

The SPDX 3 backport still expected a dictionary and attempted to call
.items(), leading to:

    AttributeError: 'set' object has no attribute 'items'

This patch updates the SPDX3 code to iterate directly over the CVE IDs
and use `oe.cve_check.decode_cve_status()` to retrieve the mapping,
detail, and description for each CVE. This restores compatibility with
the updated CVE API and matches the behavior of SPDX3 handling on
Walnascar.

A warning is logged if a CVE has missing or unknown status.

(From OE-Core rev: 55fdeea44ffbecb705f7900bfa85ab88e1191878)

Signed-off-by: Kamel Bouhara (Schneider Electric) &lt;kamel.bouhara@bootlin.com&gt;
Signed-off-by: Steve Sakoman &lt;steve@sakoman.com&gt;
</content>
</entry>
<entry>
<title>lib: oe: license: Add missing import</title>
<updated>2025-11-14T14:45:29+00:00</updated>
<author>
<name>Joshua Watt</name>
<email>JPEWhacker@gmail.com</email>
</author>
<published>2025-11-07T13:14:40+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=b5184d1487160d3d340371a5a38d1628a4a16297'/>
<id>urn:sha1:b5184d1487160d3d340371a5a38d1628a4a16297</id>
<content type='text'>
The code in this file uses oe.qa, but it was not imported resulting an
an exception when a license error was detected

(From OE-Core rev: f8aa42faa3640d0414745ae32b00a37b2f5d638b)

Signed-off-by: Joshua Watt &lt;JPEWhacker@gmail.com&gt;
Signed-off-by: Richard Purdie &lt;richard.purdie@linuxfoundation.org&gt;
(cherry picked from commit e44cb7c5b7281d614ed51fdec06dad0a7211528a)
Signed-off-by: Steve Sakoman &lt;steve@sakoman.com&gt;
</content>
</entry>
<entry>
<title>lib/license: Move package license skip to library</title>
<updated>2025-11-14T14:45:29+00:00</updated>
<author>
<name>Joshua Watt</name>
<email>JPEWhacker@gmail.com</email>
</author>
<published>2025-11-07T13:14:39+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=8f0eab43edc4f2a3e74cd30903c5e5718cc1186c'/>
<id>urn:sha1:8f0eab43edc4f2a3e74cd30903c5e5718cc1186c</id>
<content type='text'>
Moves the code that skips packages with incompatible licenses to the
library code so that it can be called in other locations

(From OE-Core rev: 4f7a047c4a1e14bbb3bf593764aace1e25bcd4a4)

Signed-off-by: Joshua Watt &lt;JPEWhacker@gmail.com&gt;
Signed-off-by: Richard Purdie &lt;richard.purdie@linuxfoundation.org&gt;
(cherry picked from commit 86eb409e3c1b30110869ec5a0027ae2d48bbfe7f)
Signed-off-by: Steve Sakoman &lt;steve@sakoman.com&gt;
</content>
</entry>
<entry>
<title>classes-global/license: Move functions to library code</title>
<updated>2025-11-14T14:45:29+00:00</updated>
<author>
<name>Joshua Watt</name>
<email>JPEWhacker@gmail.com</email>
</author>
<published>2025-11-07T13:14:37+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=ff754175475ae52a4f3fe91cf5d985a8b703dd11'/>
<id>urn:sha1:ff754175475ae52a4f3fe91cf5d985a8b703dd11</id>
<content type='text'>
Moves several of the functions in license.bbclass to be library code

New function dependencies were manually verified using bitbake-dumpsigs
to ensure that bitbake identified the same dependencies even though they
are now in library code (although the new function names mean that the
task hashes still change)

(From OE-Core rev: 5e220e20833fd800687b05c8f5cef602dfc47202)

Signed-off-by: Joshua Watt &lt;JPEWhacker@gmail.com&gt;
Signed-off-by: Richard Purdie &lt;richard.purdie@linuxfoundation.org&gt;
(cherry picked from commit 0333e04e353991260c5f67a72f80f3ab9dcf526a)
Signed-off-by: Steve Sakoman &lt;steve@sakoman.com&gt;
</content>
</entry>
<entry>
<title>spdx30_tasks: fix FetchData attribute in add_download_files</title>
<updated>2025-11-14T14:45:29+00:00</updated>
<author>
<name>Kamel Bouhara (Schneider Electric)</name>
<email>kamel.bouhara@bootlin.com</email>
</author>
<published>2025-11-07T13:14:36+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=b16bf27386d3a411f452908c913aaf2335be0f22'/>
<id>urn:sha1:b16bf27386d3a411f452908c913aaf2335be0f22</id>
<content type='text'>
The add_download_files() function incorrectly accessed fd.name, which
does not exist on FetchData objects.

Change to use fd.names[0] to correctly retrieve the first filename.

This fixes AttributeError during SPDX document generation.

(From OE-Core rev: 17031d71cf4bc4fc19dd8a41c49b94e1f6a1edee)

Signed-off-by: Kamel Bouhara (Schneider Electric) &lt;kamel.bouhara@bootlin.com&gt;
Signed-off-by: Steve Sakoman &lt;steve@sakoman.com&gt;
</content>
</entry>
<entry>
<title>backport: SPDX 3.0 fixes and tasks from upstream version Walnascar</title>
<updated>2025-11-14T14:45:29+00:00</updated>
<author>
<name>Kamel Bouhara (Schneider Electric)</name>
<email>kamel.bouhara@bootlin.com</email>
</author>
<published>2025-11-07T13:14:35+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=11cd8498da86c61366e8701a8a49d60120c85248'/>
<id>urn:sha1:11cd8498da86c61366e8701a8a49d60120c85248</id>
<content type='text'>
Backports the SPDX 3.0 support and fixes from upstream walnascar
commit 49f47169953b807d430461ca33f3a2b076119712 into upstream
scarthgap.

(From OE-Core rev: 9c9b9545049a2f6e5c99edcb079275d29a4d1ac6)

Signed-off-by: Kamel Bouhara (Schneider Electric) &lt;kamel.bouhara@bootlin.com&gt;
Signed-off-by: Steve Sakoman &lt;steve@sakoman.com&gt;
</content>
</entry>
<entry>
<title>lib/oe/utils: use multiprocessing from bb</title>
<updated>2025-09-30T15:01:59+00:00</updated>
<author>
<name>Martin Jansa</name>
<email>martin.jansa@gmail.com</email>
</author>
<published>2025-09-09T17:17:35+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=e753480a0540df86cba94b04824aa9d9e7fe3932'/>
<id>urn:sha1:e753480a0540df86cba94b04824aa9d9e7fe3932</id>
<content type='text'>
Fixes build with python-3.14

It was added to bitbake in 62be9113d98fccb347c6aa0a10d5c4ee2857f8b6
and oe-core now requires latest bitbake already, so we can use this.

[YOCTO #15858]

(From OE-Core rev: 92369c8acf0b4d6c2ced88abbda5f5defd276ba2)

Signed-off-by: Martin Jansa &lt;martin.jansa@gmail.com&gt;
Reviewed-by: Joshua Watt &lt;JPEWhacker@gmail.com&gt;
Signed-off-by: Mathieu Dubois-Briand &lt;mathieu.dubois-briand@bootlin.com&gt;
Signed-off-by: Richard Purdie &lt;richard.purdie@linuxfoundation.org&gt;
Signed-off-by: Martin Jansa &lt;martin.jansa@gmail.com&gt;
Signed-off-by: Steve Sakoman &lt;steve@sakoman.com&gt;
</content>
</entry>
<entry>
<title>license.py: avoid deprecated ast.Str</title>
<updated>2025-09-22T20:17:52+00:00</updated>
<author>
<name>Martin Jansa</name>
<email>martin.jansa@gmail.com</email>
</author>
<published>2025-09-09T17:17:33+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=d2c6c66c1e496d42a70af6fadca3fe1e19bfcfd0'/>
<id>urn:sha1:d2c6c66c1e496d42a70af6fadca3fe1e19bfcfd0</id>
<content type='text'>
* it's deprecated since python-3.12 and removed in 3.14 causing:

openembedded-core/meta/lib/oe/license.py', lineno: 176, function: visit
     0172:
     0173:        LicenseVisitor.__init__(self)
     0174:
     0175:    def visit(self, node):
 *** 0176:        if isinstance(node, ast.Str):
     0177:            lic = node.s
     0178:
     0179:            if license_ok(self._canonical_license(self._d, lic),
     0180:                    self._dont_want_licenses) == True:
Exception: AttributeError: module 'ast' has no attribute 'Str'

(From OE-Core rev: df9898f13c261eeac2cc343569c843bc7dcaf163)

Signed-off-by: Martin Jansa &lt;martin.jansa@gmail.com&gt;
Signed-off-by: Steve Sakoman &lt;steve@sakoman.com&gt;
</content>
</entry>
<entry>
<title>spdx: add option to include only compiled sources</title>
<updated>2025-07-07T14:42:58+00:00</updated>
<author>
<name>Daniel Turull</name>
<email>daniel.turull@ericsson.com</email>
</author>
<published>2025-06-19T08:47:36+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=2366605a35443565e259d03791d7b662c6ea03e2'/>
<id>urn:sha1:2366605a35443565e259d03791d7b662c6ea03e2</id>
<content type='text'>
When SPDX_INCLUDE_COMPILED_SOURCES is enabled, only include the
source code files that are used during compilation.

It uses debugsource information generated during do_package.

This enables an external tool to use the SPDX information to disregard
vulnerabilities that are not compiled.

As example, when used with the default config with linux-yocto, the spdx size is
reduced from 156MB to 61MB.

Tested with bitbake world on oe-core.

(From OE-Core rev: c6a2f1fca76fae4c3ea471a0c63d0b453beea968)
Adapted to existing files for create-spdx-2.2

CC: Mathieu Dubois-Briand &lt;mathieu.dubois-briand@bootlin.com&gt;
CC: Joshua Watt &lt;JPEWhacker@gmail.com&gt;
(From OE-Core rev: a2866934e58fb377a73e87576c8594988a63ad1b)

Signed-off-by: Daniel Turull &lt;daniel.turull@ericsson.com&gt;
Signed-off-by: Steve Sakoman &lt;steve@sakoman.com&gt;
</content>
</entry>
<entry>
<title>package: export debugsources in PKGDESTWORK as json</title>
<updated>2025-07-07T14:42:58+00:00</updated>
<author>
<name>Daniel Turull</name>
<email>daniel.turull@ericsson.com</email>
</author>
<published>2025-06-19T08:47:35+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=5b7a6dec8542968b5062e4da407e322dda50326b'/>
<id>urn:sha1:5b7a6dec8542968b5062e4da407e322dda50326b</id>
<content type='text'>
The source information used during packaging can be use from other tasks to
have more detailed information on the files used during the compilation and
improve SPDX accuracy.

Source files used during compilation are store as compressed zstd json in
pkgdata/debugsources/$PN-debugsources.json.zstd
Format:
{ binary1: [src1, src2, ...], binary2: [src1, src2, ...] }

I checked the sstate size, and it slightly increases using core-image-full-cmdline:
without patch: 2456792 KB sstate-cache/
with patch:    2460028 KB sstate-cache/
(4236 KB or 0.17%)

(From OE-Core rev: c507dcb8a8780a42bfe68b1ebaff0909b4236e6b)
Adaptations to match spdx in scarthgap: change BP to PF

CC: Mathieu Dubois-Briand &lt;mathieu.dubois-briand@bootlin.com&gt;
CC: Richard Purdie &lt;richard.purdie@linuxfoundation.org&gt;
(From OE-Core rev: cba53212f5debf897752453364b9756a05c197de)

Signed-off-by: Daniel Turull &lt;daniel.turull@ericsson.com&gt;
Signed-off-by: Steve Sakoman &lt;steve@sakoman.com&gt;
</content>
</entry>
</feed>
