Mirror of git.yoctoproject.org/poky https://git.enea.com/cgit/linux/poky.git/atom?h=scarthgap 2026-06-10T13:35:20+00:00 2026-06-10T13:35:20+00:00 Ross Burton ross.burton@arm.com 2026-05-07T17:50:26+00:00 urn:sha1:1a099cb1faa19c80b1ac337338a4947d2570cd72 When unpacking zip files requests uses predictable paths. Backport a fix to use randomly generated pathnames to mitigate injection attacks. (From OE-Core rev: b23ec9773d67f8767904731afa86fe5ede08f97f) Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit fe846d71b647fb06e6a87cb45a2dd9b0889e2891) Signed-off-by: Deepak Rathore <deeratho@cisco.com> Signed-off-by: Yoann Congal <yoann.congal@smile.fr> Signed-off-by: Paul Barker <paul@pbarker.dev> 2025-09-22T20:17:52+00:00 Haixiao Yan haixiao.yan.cn@windriver.com 2025-09-16T13:19:18+00:00 urn:sha1:e3ce89324da1e33c17c9180ef846f41d92616254 When Bash runs with 'set -u' (nounset), accessing an unset variable directly (e.g. [ -z "$SSL_CERT_FILE" ]) causes a fatal "unbound variable" error. As a result, the fallback logic to set SSL_CERT_FILE/SSL_CERT_DIR is never triggered and the script aborts. The current code assumes these variables may be unset or empty, but does not guard against 'set -u'. This breaks builds in stricter shell environments or when users explicitly enable 'set -u'. Fix this by using parameter expansion with a default value, e.g. "${SSL_CERT_FILE:-}", so that unset variables are treated as empty strings. This preserves the intended logic (respect host env first, then CAFILE/CAPATH, then buildtools defaults) and makes the script robust under 'set -u'. (From OE-Core rev: 4cf131ebd157b79226533b5a5074691dd0e1a4ab) Signed-off-by: Haixiao Yan <haixiao.yan.cn@windriver.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 4d880c2eccd534133a2a4e6579d955605c0956ec) Signed-off-by: Steve Sakoman <steve@sakoman.com> 2025-05-02T15:20:12+00:00 Changqing Li changqing.li@windriver.com 2025-04-28T05:53:07+00:00 urn:sha1:18206fc2dba1684bc96efecf95c65450f9577203 To adapt user network enviroment, buildtools should first try to use the user configured envs like SSL_CERT_FILE/CURL_CA_BUNDLE/..., if these envs is not set, then use the auto-detected ca file and ca path, and finally use the CA certificates in buildtools. nativesdk-openssl set OPENSSLDIR as "/not/builtin", need set SSL_CERT_FILE/SSL_CERT_DIR to work nativesdk-curl don't set default ca file, need SSL_CERT_FILE/SSL_CERT_DIR or CURL_CA_BUNDLE/CURL_CA_PATH to work nativesdk-git actually use libcurl, and GIT_SSL_CAPATH/GIT_SSL_CAINFO also works nativesdk-python3-requests will use cacert.pem under python module certifi by default, need to set REQUESTS_CA_BUNDLE (From OE-Core rev: 0653b96bac6d0800dc5154557706a323418808be) Signed-off-by: Changqing Li <changqing.li@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> 2025-05-02T15:20:12+00:00 Changqing Li changqing.li@windriver.com 2025-04-28T05:53:06+00:00 urn:sha1:397d432a62c265f481cf1ac4d9c760504d9eb9f5 Here is one testcase: For recipe tensorflow-lite-host-tools_2.18.0.bb, refer [1], do_configure[network] = "1" and it will git clone some repos in CMakeLists.txt When buildtools is used and nativesdk-git is installed into sdk, do_configure failed with error: [1/9] Performing download step (git clone) for 'protobuf-populate' Cloning into 'protobuf'... fatal: unable to access 'https://github.com/protocolbuffers/protobuf/': error setting certificate file: /usr/local/oe-sdk-hardcoded-buildpath/sysroots/x86_64-wrlinuxsdk-linux/etc/ssl/certs/ca-certificates.crt Fix by adding GIT_SSL_CAINFO in BB_ENV_PASSTHROUGH_ADDITIONS, so that user can export GIT_SSL_CAINFO=${GIT_SSL_CAINFO} in their do_configure:prepend() to fix above do_configure failure CURL_CA_BUNDLE and REQUESTS_CA_BUNDLE is similar envvars, so all add into BB_ENV_PASSTHROUGH_ADDITIONS [1] https://github.com/nxp-imx/meta-imx/blob/styhead-6.12.3-1.0.0/meta-imx-ml/recipes-libraries/tensorflow-lite/tensorflow-lite-host-tools_2.18.0.bb (From OE-Core rev: 27f018d8e8ace97d0b1cdfb8782a2a7a0a319816) Signed-off-by: Changqing Li <changqing.li@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> 2025-05-02T15:20:12+00:00 Changqing Li changqing.li@windriver.com 2025-04-28T05:53:05+00:00 urn:sha1:2e0b9e9a86f6bd2ba13082e31d7c097b254f30a4 * make git,curl,python3-requests align with openssl, move the setting of envvars into respective envfile * for environment.d-openssl.sh, also check if ca-certificates.crt exist before export envvars (From OE-Core rev: 5f4fd544d3df7365224599c9efdce4e545f51d5e) Signed-off-by: Changqing Li <changqing.li@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>