Mirror of git.yoctoproject.org/poky https://git.enea.com/cgit/linux/poky.git/atom?h=master 2025-11-07T13:31:53+00:00 2025-11-07T13:31:53+00:00 Richard Purdie richard.purdie@linuxfoundation.org 2025-11-07T13:31:53+00:00 urn:sha1:8c22ff0d8b70d9b12f0487ef696a7e915b9e3173 You can either: a) switch to individual clones of bitbake, openembedded-core, meta-yocto and yocto-docs b) use the new bitbake-setup You can find information about either approach in our documentation: https://docs.yoctoproject.org/ Note that "poky" the distro setting is still available in meta-yocto as before and we continue to use and maintain that. Long live Poky! Some further information on the background of this change can be found in: https://lists.openembedded.org/g/openembedded-architecture/message/2179 Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 2025-10-27T17:20:42+00:00 Daniel Turull daniel.turull@ericsson.com 2025-10-23T07:13:39+00:00 urn:sha1:6a2a827e9ceedcf7d9e43284b26a03289af7ed2a Adding option to be able to import debugsources.zstd directly. The linux-yocto-debugsources.zstd is generated in every build and does not require any additional configuration. In contrast, SPDX_INCLUDE_COMPILED_SOURCES needs to be explicitly added and increases build time. (From OE-Core rev: c84a8958f30bbb982656ddcbe7476f6f81e1a6fb) Signed-off-by: Daniel Turull <daniel.turull@ericsson.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 2025-07-10T09:47:31+00:00 Daniel Turull daniel.turull@ericsson.com 2025-07-04T13:02:55+00:00 urn:sha1:348ef80f275d36e965bc1f656a170bbce23f224a When using the version specified in cve-summary.json, we need to remove the suffix containing the custom version to match the versions from the CVEs. This patch truncates the version from cve-summary.json to use only the base version of the kernel. This is only applicable for kernels where the user has added their own version. (From OE-Core rev: 3942d40e96989268e8d1030f9d8c3859044d9635) Signed-off-by: Daniel Turull <daniel.turull@ericsson.com> Signed-off-by: Antonin Godard <antonin.godard@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 2025-07-10T09:47:30+00:00 Daniel Turull daniel.turull@ericsson.com 2025-07-04T13:02:54+00:00 urn:sha1:dac57535d979d59a9d965af0552e8879750425aa If the user has a CVE_STATUS for their own backported patch, the backport takes priority over upstream vulnerable versions. (From OE-Core rev: 0beef05be119ea465ba06553a42edea03dfc9fd3) Signed-off-by: Daniel Turull <daniel.turull@ericsson.com> Signed-off-by: Antonin Godard <antonin.godard@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 2025-06-19T20:54:43+00:00 Daniel Turull daniel.turull@ericsson.com 2025-06-10T15:24:43+00:00 urn:sha1:5dff1c40dbde96c77098e7405ada98bb40fe0350 Adding postprocessing script to process data from linux CNA that includes more accurate metadata and it is updated directly by the source. Example of enhanced CVE from a report from cve-check: { "id": "CVE-2024-26710", "status": "Ignored", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26710", "summary": "In the Linux kernel, the following vulnerability [...]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "modified": "2025-03-17T15:36:11.620", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "detail": "not-applicable-config", "description": "Source code not compiled by config. ['arch/powerpc/include/asm/thread_info.h']" }, And same from a report generated with vex: { "id": "CVE-2024-26710", "status": "Ignored", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26710", "detail": "not-applicable-config", "description": "Source code not compiled by config. ['arch/powerpc/include/asm/thread_info.h']" }, For unpatched CVEs, provide more context in the description: Tested with 6.12.22 kernel { "id": "CVE-2025-39728", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39728", "summary": "In the Linux kernel, the following vulnerability has been [...], "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "modified": "2025-04-21T14:23:45.950", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "detail": "version-in-range", "description": "Needs backporting (fixed from 6.12.23)" }, CC: Peter Marko <peter.marko@siemens.com> CC: Marta Rybczynska <rybczynska@gmail.com> (From OE-Core rev: e60b1759c1aea5b8f5317e46608f0a3e782ecf57) Signed-off-by: Daniel Turull <daniel.turull@ericsson.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 2025-02-18T11:56:03+00:00 Joshua Watt jpewhacker@gmail.com 2025-02-11T15:03:25+00:00 urn:sha1:36be59464ca56c209a4a67bd99f9a5cb6f29558d Adds a template for a python project that processes the SPDX 3.0.1 output from a build and lists all the files on the root file system with their checksums This is intended to be an example to show how to deal with the SPDX data to do common tasks. (From OE-Core rev: 3d9c5588ce6181b519810e3378b55826ffcaee49) Signed-off-by: Joshua Watt <JPEWhacker@gmail.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 2025-02-05T12:49:55+00:00 Bastian Germann bage@debian.org 2025-01-31T19:25:20+00:00 urn:sha1:bdcc24a44faa1054bd5d458c1cdb9ac0b06a3cfe SGI-1 is not a SPDX license identifier. However, the SGI-1 license has the same license text as SGI-OpenGL. Map the old SGIv1 name to SGI-OpenGL. (From OE-Core rev: e97a9c3c86a8fe27a26ad69174ba50e5228846e5) Signed-off-by: Bastian Germann <bage@debian.org> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 2024-11-21T12:16:28+00:00 Nicolas Dechesne nicolas.dechesne@oss.qualcomm.com 2024-11-19T09:41:09+00:00 urn:sha1:79ef781499f5bf219dae338882eefe7d4f800304 When running patchreview with --blame, the scripts runs a git log command on the analyzed patch. When trying to analyse a layer which is not in poky tree, we might be running the git log command from outside the git workspace where the file is located, which results in such failures: Missing Signed-off-by tag ([truncated]/meta-qcom-hwe/recipes-devtools/partition-utils/qcom-ptool/0001-ptool.py-Generate-zero-files-in-output-folder-when-s.patch) fatal: not a git repository (or any parent up to mount point /local/mnt) Stopping at filesystem boundary (GIT_DISCOVERY_ACROSS_FILESYSTEM not set). Fix this situation by setting the current work dir inside the git workspace of the patch when running git log. (From OE-Core rev: 8cc1c900b91d60e633f62bfe16a2ffc2d61c3f55) Signed-off-by: Nicolas Dechesne <nicolas.dechesne@oss.qualcomm.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 2024-11-12T11:19:44+00:00 Martin Jansa Martin.Jansa@gmail.com 2024-11-06T14:54:49+00:00 urn:sha1:6eb0a35580ab935432c3f9eaf8afca91496f4f53 * the idea was to reuse the same function as I've noticed that the QA check which was added to insane.bbclass in: https://git.openembedded.org/openembedded-core/commit/?id=76a685bfcf927593eac67157762a53259089ea8a is in some cases more strcit than scripts/contrib/patchreview.py To be honest I wasn't aware of scripts/contrib/patchreview.py existence when I've asked about moving check_upstream_status() to oe.qa in order to write standalone script just like patchreview.py * I've sent this long time ago: https://lists.openembedded.org/g/openembedded-core/message/177207 but didn't like the sys.path.append to find oe.qa much or the duplicated path to .patch file in the output, then I've forgot about it until today in https://github.com/OE4T/meta-tegra/pull/1749 where checklayer found one more issue, which I haven't noticed with patchreview.py before (because I've accidentally used a version without this change). It's not perfect, but at least it will be consistent with checklayer and patch-status QA check. (From OE-Core rev: f291c08ea6a95638c3ad1f70434678bd5e374195) Signed-off-by: Martin Jansa <martin.jansa@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 2024-09-30T16:07:18+00:00 Joshua Watt jpewhacker@gmail.com 2024-09-27T15:51:57+00:00 urn:sha1:dfa892cfa698b73d4d68cc3e9b6bb17488f0952b Adds a script to generate the SPDX code bindings (From OE-Core rev: f0a5fdf54f975f9bc30758aec1f6f27e2d8149de) Signed-off-by: Joshua Watt <JPEWhacker@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>