| Age | Commit message (Collapse) | Author |
|---|
|
As detailed at [1] the XML feeds provided by NIST are being discontinued on
October 9th 2019. As cve-check-tool uses these feeds, cve-check.bbclass will be
inoperable after this date.
To ensure that cve-check continues working, backport the following commits from
master to move away from the unmaintained cve-check-tool to our own Python code
that fetches the JSON:
546d14135c5 cve-update-db: New recipe to update CVE database
bc144b028f6 cve-check: Remove dependency to cve-check-tool-native
7f62a20b32a cve-check: Manage CVE_PRODUCT with more than one name
3bf63bc6084 cve-check: Consider CVE that affects versions with less than operator
c0eabd30d7b cve-update-db: Use std library instead of urllib3
27eb839ee65 cve-check: be idiomatic
09be21f4d17 cve-update-db: Manage proxy if needed.
975793e3825 cve-update-db: do_populate_cve_db depends on do_fetch
0325dd72714 cve-update-db: Catch request.urlopen errors.
4078da92b49 cve-check: Depends on cve-update-db-native
f7676e9a38d cve-update-db: Use NVD CPE data to populate PRODUCTS table
bc0195be1b1 cve-check: Update unpatched CVE matching
c807c2a6409 cve-update-db-native: Skip recipe when cve-check class is not loaded.
07bb8b25e17 cve-check: remove redundant readline CVE whitelisting
5388ed6d137 cve-check-tool: remove
270ac00cb43 cve-check.bbclass: initialize to_append
e6bf9000987 cve-check: allow comparison of Vendor as well as Product
91770338f76 cve-update-db-native: use SQL placeholders instead of format strings
7069302a4cc cve-check: Replace CVE_CHECK_CVE_WHITELIST by CVE_CHECK_WHITELIST
78de2cb39d7 cve-update-db-native: Remove hash column from database.
4b301030cf9 cve-update-db-native: use os.path.join instead of +
f0d822fad2a cve-update-db: actually inherit native
b309840b6aa cve-update-db-native: use executemany() to optimise CPE insertion
bb4e53af33d cve-update-db-native: improve metadata parsing
94227459792 cve-update-db-native: clean up JSON fetching
95438d52b73 cve-update-db-native: fix https proxy issues
1f9a963b9ff glibc: exclude child recipes from CVE scanning
[1] https://nvd.nist.gov/General/News/XML-Vulnerability-Feed-Retirement
(From OE-Core rev: 8c87e78547c598cada1bce92e7b25d85b994e2eb)
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
This makes sure, e.g., ${SOC_FAMILY} and ${MACHINE} have higher
priorities than aarch64.
Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
The 2.7 release updates glibc to version 2.30. Recently added to openSUSE
Tumbleweed and needed for Fedora Core 31.
Signed-off-by: Michael Halstead <mhalstead@linuxfoundation.org>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
The 2.6 release contains both libcrypt.so.1 and libcrypt.so.2 which fixes
compatibility with recent fedora/suse releases.
The difference is one is built with obsolete APIs enabled and one disabled.
We now ship both in uninative for compatibility regardless of which distro
a binary is built on.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
This includes libstdc++ changes from gcc 9.X.
It also switches uninative from bz2 to xz compression.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
This supports glibc 2.29 which is appearing in distros like Ubuntu 19.04
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Avoid uninative checksum warnings when building on aarch64 hardware.
Signed-off-by: Michael Halstead <mhalstead@linuxfoundation.org>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Original legalcode.txt:
https://creativecommons.org/licenses/by-sa/4.0/legalcode.txt
(From OE-Core rev: fa06fcce7942f5960178dcdeb61a7b659f7f8207)
Signed-off-by: Eric Chanudet <chanudete@ainfosec.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
(From OE-Core rev: 198fe6d08f000b3db9082b5fd4337536931719ee)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
manipulation
Several distros are now shipping "python" as python v3 contra to the original
python guidelines. This causes users confusion/pain in trying to use our tools.
We can just force "python" to "python2" within HOSTTOOLS to avoid this issue
and hide the complexity from the user.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
This allows us to handle distros which contain glibc 2.28 such as
Ubuntu 18.10.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Weston needs to be configured to load the fbdev driver when run on a QEMU system.
Other MACHINEs may want to also provider their own configuration as well..
Adding a new RRECOMMEND configuration package will allow this, but avoid
installing empty packages/files in the majority case where it is not needed.
Add maintainer entry as well.
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
This ensures that we default to latest go recipes
1.9 is not supported anymore
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Create a new systemd-conf recipe to contain the specific system/machine
configuration items. This new package is now machine specific.
Without doing this trying to create a single system with multiple BSPs,
one of which was qemu based, would result in the systemd -and- everything that
dependend upon systemd to have their hash changed. The hash changing means
lots of rebuilds, but worse if it's a package based system each different
machine ends with a new PR value and a newly generated package.
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
This reverts commit 591a11ba58ce3c2c147bb1f8202bc6a0092b70eb.
This is not needed after the recent os-release fix.
|
|
configuration
If you try to build a system with multiple BSPs, one of which is qemux86
or qemux86-64, the gstreamer package will change. This will trigger
anything using gstream to also be rebuilt.
For a package based system, the PR values will also be incremented each
time. The end result will be an ever growing set of PR values as well as
being unable to tell which configured version of the multimedia components
are really being deployed.
These therefore belong in the machine configuration.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
GLIBC_GENERATE_LOCALES
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
This patch adds tuning for the mcf5441x ColdFire family.
Signed-off-by: Angelo Dureghello <angelo@sysam.it>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Signed-off-by: Angelo Dureghello <angelo@sysam.it>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Add os-release to NON_MULTILIB_RECIPES in multilib.conf that do not do
multilib expand for os-release.
Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
It doesn't make much sense to expand them to multilib, and there is an error on
qemuarm64 since grub-efi supports arm64, but doesn't support armv7a or armv7ve:
* Fixed:
MACHINE = "qemuarm64"
require conf/multilib.conf
MULTILIBS = "multilib:lib32"
DEFAULTTUNE_virtclass-multilib-lib32 = "armv7a"
MACHINE_FEATURES_append = " efi"
$ bitbake lib32-core-image-minimal
Also introduced a variable NON_MULTILIB_RECIPES in multilib.conf, so that we
can easily add other recipes, such as syslinux if needed.
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Prepare for release and drop sumo for the compatible list of layer names.
This will mean other layers need updating to continue to indicate compatibility
with master but that is intentional at this part of the release cycle, we want
layers to indicate compatibility and show they're up to date.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
With the release approaching, add thud to LAYERSERIES_CORENAMES and update
oe-core to use this release series. "sumo" will be removed during M4 in
the next couple of weeks so people need to start updating their master
layers in preperation for release.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
update Intel owners
Signed-off-by: Maxin B. John <maxin.john@intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
Since openssh support oepnssl 1.1.x, there is no reason
to keep libressl.
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Fixes warnings in builds using core2-32 tune:
warning: TCG doesn't support requested feature: CPUID.80000001H:EDX.syscall [bit 11]
warning: TCG doesn't support requested feature: CPUID.80000001H:EDX.lm [bit 29]
when executing postinsts using qemu-i386.
i386 target doesn't enable CPUID_EXT2_SYSCALL and CPUID_EXT2_LM [1]
while cpu choice of core2duo that we use for core2-32 TUNE does [2].
Use n270 cpu instead to use with qemu which supports SSSE3 and doesn't
have these bits enabled [3].
[1] https://github.com/qemu/qemu/blob/master/target/i386/cpu.c#L739
[2] https://github.com/qemu/qemu/blob/master/target/i386/cpu.c#L1439
[3] https://github.com/qemu/qemu/blob/master/target/i386/cpu.c#L1603
Fixes [YOCTO #12916]
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
We may also need debug native tools, so make BUILD_OPTIMIZATION respect to
DEBUG_BUILD, otherwise, we need set CFLAGS in the recipe which isn't
convenient.
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
It can be used to simplify code like:
"${@['iffalse', 'iftrue'][var]}"
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Nothing in oe-core is using yasm now that gstreamer-libav and ffmpeg are using
nasm, so remove it from oe-core.
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Without a libc the gcc-runtime provider of compilerlibs does not
compile. As such avoid the default dependence on the
virtual/${TARGET_PREFIX}compilerlibs provider.
Signed-off-by: Nathan Rossi <nathan@nathanrossi.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
With GCCPIE being enabled by default with security_flags.inc the
compiler will by default attempt to compile and link programs as PIE.
The targets that use newlib and baremetal in general do not support PIE
or are otherwise unable to use it due to how embedded targets are
compiled and executed. As such it makes sense to disable PIE by default
for these libc's in order to prevent build failures.
For baremetal tclibc there are no libc features or implementation as
such there is no implementation for the strong stack protector by
default.
Signed-off-by: Nathan Rossi <nathan@nathanrossi.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
The busybox-syslog rrecomends is proving tricky as it gets pulled in early and
there are conflicts between its use of update-alternatives and busybox needing
to provide those things.
We already have recipes using BAD_RRECOMMENDS to remove this dependency, it probably
makes sense to spell it out explicitly and allow it to be overridden more easily.
This patch does this, dropping the now unneeded BAD_RRECOMMENDS. It preserves
the dependency as a recommendation for now, further cleanup may allow simplication
of that.
This unbreaks certain build failures on the autobuilder, more as a workaround but
is a change we probably want to make anyway.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
* https://sourceware.org/ml/gdb-announce/2018/msg00003.html
* Support RISC-V
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
|
Asus EEEPc hardware is well obsolete, upstream repo is now gone.
Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Previously this was done with the generic autotools support, but CMake doesn't
have a standard option so set it explicitly.
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
git.gnome.org is no more. It has ceased to be. It's an ex-git.
Please see here:
https://about.gitlab.com/2018/05/31/welcome-gnome-to-gitlab/
Note that gitlab does not support git://, only https:// (and ssh).
[Commit message from Alexander Kanavin]
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
After reading through this:
https://github.com/openssh/openssh-portable/pull/48
and this thread:
https://lists.mindrot.org/pipermail/openssh-unix-dev/2017-October/036344.html
I've concluded that this is the best of the three not-great options. The alternatives:
- bundle libressl inside openssh packages
- keep openssh dependent on openssl 1.0 and wait until upstream does something
are both inferior. Libressl is used with openssh in OpenBSD and in OS X,
so it did get at least some testing in the real world.
Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
default version
I believe the time has come to do this: openssl 1.0 upstream support stops at the end
of 2019, and we do not want a situation where a supported YP release contains an
unsupported version of a critical security component.
Openssl 1.0 can still be utilized by depending on 'openssl10' recipe.
Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
OVERRIDES
There are var-SECURITY_PIE_CFLAGS, var-lcl_maybe_fortify and
var-SECURITY_STRINGFORMAT which are helpful for OVERRIDES.
Also add var-SECURITY_STACK_PROTECTOR, and drop hardcoded `_remove'
overrides. Such as `4ca946c security_flags: use -fstack-protector-strong',
it s/-fstack-protector-all/-fstack-protector-strong/, only tweak
var-SECURITY_STACK_PROTECTOR is sufficient.
The fix does not have any side affect on SECURITY_CFLAGS of glibc/
glibc-initial/gcc-runtime, these three directly assigned with "".
...
SECURITY_CFLAGS_pn-glibc = ""
SECURITY_CFLAGS_pn-glibc-initial = ""
SECURITY_CFLAGS_pn-gcc-runtime = ""
...
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
- Since poky enable security flags+pie by default, tweak comments
to sync with it.
[poky commit]
491082c poky.conf: Enable security flags+pie by default
29d76b3 poky-lsb: Remove including security_flags.inc
[poky commit]
- Use `?=' to set a default lcl_maybe_fortify, it is helpful for
variable OVERRIDES.
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
4.18 is replacing 4.15 as the latest kernel in the upcoming
release, so we update our preferred versions to match.
Signed-off-by: Bruce Ashfield <bruce.ashfield@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Updating to the 4.18 headers to match the newest kernel that will
be part of the release.
4.18 brings a requirement on bison-native to the libc-headers, since
it is required as part of the configuration steps.
We also tweak the license md5sum, since the kernel now includes SPDX
headers in the license file and that changes our sum.
Signed-off-by: Bruce Ashfield <bruce.ashfield@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
We need this for the new break_hardlinks helper function.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
remove the indirect dependcy of autoconf-archive-native via
SSTATE_EXCLUDEDEPS_SYSROOT to avoid not needed .m4 installed
into sysroot, which may cause compile problem.
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
- Import from meta-oe layer
- This is useful for many packages where CR-LF
needs to be adjusted, many recipes depend on it
e.g. meta-multimedia libebml and so on.
- Add myself as maintainer for now
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
instead of using DATETIME directly
* this makes it easier to use different version string than DATETIME, e.g. set from jenkins job
while keeping the suffix consistent across all artifacts stored in DEPLOYDIR
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Original approach to add -no-<pie> flags cause link time behavior changes
where packages start to lose the -fPIC -DPIC in compiler cmdline and this
list keeps growing as we build more and more packages,
Instead lets just remove the options we dont need from SECURITY_CFLAGS
this makes it more robust and less intrusive
This also means we do not need to re-add pic options as we started to do
for affected packages
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
Ross Burton
Peter Kjellerstedt
Michael Halstead
Richard Purdie
Eric Chanudet
Anuj Mittal
Mark Hatle
Khem Raj
Martin Jansa
Angelo Dureghello
Kai Kang
Robert Yang
Maxin B. John
Hongxu Jia
Nathan Rossi
Alexander Kanavin
Alexander Kanavin
Bruce Ashfield
Changqing Li