Mirror of git.yoctoproject.org/poky https://git.enea.com/cgit/linux/poky.git/atom?h=master 2025-11-07T13:31:53+00:00 2025-11-07T13:31:53+00:00 Richard Purdie richard.purdie@linuxfoundation.org 2025-11-07T13:31:53+00:00 urn:sha1:8c22ff0d8b70d9b12f0487ef696a7e915b9e3173 You can either: a) switch to individual clones of bitbake, openembedded-core, meta-yocto and yocto-docs b) use the new bitbake-setup You can find information about either approach in our documentation: https://docs.yoctoproject.org/ Note that "poky" the distro setting is still available in meta-yocto as before and we continue to use and maintain that. Long live Poky! Some further information on the background of this change can be found in: https://lists.openembedded.org/g/openembedded-architecture/message/2179 Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 2025-11-06T15:09:32+00:00 Gyorgy Sarvari skandigraun@gmail.com 2025-10-23T10:50:58+00:00 urn:sha1:9bede3e6bc8bf7b5ef39614f7a7f6e674bb31b34 Fixes [YOCTO 14649] The default 3s test execution timeout isn't always enough for the check_cwm test on the autobuilder in case there is a high load on the host machine, and due to this this case fails sometimes. This patch doubles the timeout for this testcase to 6 seconds to allow enough time for execution even if there is high CPU usage by other processes. (From OE-Core rev: 561aba8d38d1e15d23bd13736013825bd04aff2c) Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 2025-10-09T09:58:07+00:00 Peter Marko peter.marko@siemens.com 2025-10-05T11:18:52+00:00 urn:sha1:365e8a69d710a46d09edbbb4d4eca2d11ed83ed1 Release information: https://github.com/openssl/openssl/blob/openssl-3.5/NEWS.md#major-changes-between-openssl-353-and-openssl-354-30-sep-2025 OpenSSL 3.5.4 is a security patch release. The most severe CVE fixed in this release is Moderate. This release incorporates the following bug fixes and mitigations: * Fix Out-of-bounds read & write in RFC 3211 KEK Unwrap. (CVE-2025-9230) * Fix Timing side-channel in SM2 algorithm on 64 bit ARM. (CVE-2025-9231) * Fix Out-of-bounds read in HTTP client no_proxy handling. (CVE-2025-9232) * Reverted the synthesised OPENSSL_VERSION_NUMBER change for the release builds, as it broke some exiting applications that relied on the previous 3.x semantics, as documented in OpenSSL_version(3). Release information: https://github.com/openssl/openssl/blob/openssl-3.5/NEWS.md#major-changes-between-openssl-352-and-openssl-353-16-sep-2025 OpenSSL 3.5.3 is a bug fix release. This release incorporates the following bug fixes and mitigations: * Added FIPS 140-3 PCT on DH key generation. * Fixed the synthesised OPENSSL_VERSION_NUMBER. * Removed PCT on key import in the FIPS provider as it is not required by the standard. (From OE-Core rev: 0e2b3c46fdf2e2b3854fa73bda434fdd41da0a3c) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 2025-09-15T16:57:23+00:00 Haixiao Yan haixiao.yan.cn@windriver.com 2025-09-12T01:59:33+00:00 urn:sha1:f5adf527f2e3279432800218986505f894167d3d When Bash runs with 'set -u' (nounset), accessing an unset variable directly (e.g. [ -z "$SSL_CERT_FILE" ]) causes a fatal "unbound variable" error. As a result, the fallback logic to set SSL_CERT_FILE/SSL_CERT_DIR is never triggered and the script aborts. The current code assumes these variables may be unset or empty, but does not guard against 'set -u'. This breaks builds in stricter shell environments or when users explicitly enable 'set -u'. Fix this by using parameter expansion with a default value, e.g. "${SSL_CERT_FILE:-}", so that unset variables are treated as empty strings. This preserves the intended logic (respect host env first, then CAFILE/CAPATH, then buildtools defaults) and makes the script robust under 'set -u'. (From OE-Core rev: 4d880c2eccd534133a2a4e6579d955605c0956ec) Signed-off-by: Haixiao Yan <haixiao.yan.cn@windriver.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 2025-08-11T17:04:25+00:00 Peter Marko peter.marko@siemens.com 2025-08-08T19:05:20+00:00 urn:sha1:23340e61cdb922860747d9a0b779ffd942c94be4 Release information: https://github.com/openssl/openssl/blob/openssl-3.5/NEWS.md#major-changes-between-openssl-351-and-openssl-352-5-aug-2025 OpenSSL 3.5.2 is a bug fix release. This release incorporates the following bug fixes and mitigations: * Miscellaneous minor bug fixes. * The FIPS provider now performs a PCT on key import for RSA, EC and ECX. This is mandated by FIPS 140-3 IG 10.3.A additional comment 1. (From OE-Core rev: bbe3a09beb5e9d6008ac306c82647bb22a5c3210) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 2025-07-14T16:49:48+00:00 Peter Marko peter.marko@siemens.com 2025-07-10T22:08:27+00:00 urn:sha1:510b5f71cc224fb6fffb38156fa01a1991234eeb Release information: https://github.com/openssl/openssl/blob/openssl-3.5/NEWS.md#major-changes-between-openssl-350-and-openssl-351-1-jul-2025 Handles CVE-2025-4575. Refresh patches. (From OE-Core rev: c030c9c31d27917fb45aaaa5ed174c16ca68ec9e) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 2025-07-10T09:47:30+00:00 Enrico Jörns ejo@pengutronix.de 2025-07-03T13:21:05+00:00 urn:sha1:de46ad45f6b12f0cd553b288e1e0144169ee3537 Since d1b29222 ("openssl-native(sdk): poision built in paths") the workaround for host path contamination in native(sdk) openssl is fixed. But an unfortunate side-effect of forcing the directory variables (OPENSSLDIR, ENGINESDIR, MODULESDIR) to be invalid is that it renders the generated native pkg-config file (libcrypto.pc) unusable: [..] includedir=${prefix}/include enginesdir=${libdir}/../../../../../../../../../../../../../../../../not/builtin modulesdir=${libdir}/../../../../../../../../../../../../../../../../not/builtin Name: OpenSSL-libcrypto [..] This will prevent other native tools (like libp11-native) from installing their (.so) files into valid OpenSSL directories. The strange paths are a result of OpenSSL's build system attempting to resolve the dummy path "/not/builtin" relative to ${libdir} for libcrypto.pc.in: | enginesdir=${libdir}/{- $OpenSSL::safe::installdata::ENGINESDIR_REL_LIBDIR[0] -} There doesn't appear to be a straightforward way to avoid embedding a built-in host path while still generating a valid libcrypto.pc file. This workaround now post-fixes the .pc files for openssl-native by using two sed calls to replace the invalid paths with the valid ones. (To prevent bitbake from early expanding the libdir variables, use a group as a simple hack.) (From OE-Core rev: 4d4af8d1cb272369eb4ddcc489e90831c9c2c8c7) Signed-off-by: Enrico Jörns <ejo@pengutronix.de> Signed-off-by: Antonin Godard <antonin.godard@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 2025-05-27T08:01:16+00:00 Khem Raj raj.khem@gmail.com 2025-05-21T06:19:48+00:00 urn:sha1:1cc5c462318849a8182a8c31833365f1f6cf0afc Fixes threads_pthread.c:(.text+0x372): undefined reference to `__atomic_is_lock_free' (From OE-Core rev: 636e30f2d363bd77ac9cce69eecb14d2db703bb2) Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 2025-05-15T09:55:26+00:00 Yi Zhao yi.zhao@windriver.com 2025-05-09T14:55:00+00:00 urn:sha1:756d8ab24651a66f3ec705ab57a86a3919468cd2 * Add PACKAGECONFIG[fips] to enable fips build. * Split a new package openssl-ossl-module-fips for fips.so. * Add pkg_postinst_ontarget for openssl-ossl-module-fips to ensure the config file fipsmodule.cnf is created on target. This is because we should not use the same fipsmodule.cnf on different machines. The 'openssl fipsinstall' commandline in pkg_postinst_ontarget will do the following things: 1. Run the FIPS module self tests on target. 2. Generate config file fipsmodule.conf containing information about the FIPS module such as the calculated MAC of the module. (From OE-Core rev: 29979937e2d40885e7e91bb9a7e7dca6763e3d52) Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 2025-04-24T10:27:06+00:00 Changqing Li changqing.li@windriver.com 2025-04-15T10:56:07+00:00 urn:sha1:8dcd0f73eb9547b8daacc751141b8531fbbe4bf7 To adapt user network enviroment, buildtools should first try to use the user configured envs like SSL_CERT_FILE/CURL_CA_BUNDLE/..., if these envs is not set, then use the auto-detected ca file and ca path, and finally use the CA certificates in buildtools. nativesdk-openssl set OPENSSLDIR as "/not/builtin", need set SSL_CERT_FILE/SSL_CERT_DIR to work nativesdk-curl don't set default ca file, need SSL_CERT_FILE/SSL_CERT_DIR or CURL_CA_BUNDLE/CURL_CA_PATH to work nativesdk-git actually use libcurl, and GIT_SSL_CAPATH/GIT_SSL_CAINFO also works nativesdk-python3-requests will use cacert.pem under python module certifi by default, need to set REQUESTS_CA_BUNDLE (From OE-Core rev: 8a7ec52e9b35654bee48cd948c6c34c63db3e265) Signed-off-by: Changqing Li <changqing.li@windriver.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>