Ross Burton [Mon, 18 Nov 2019 16:46:45 +0000 (16:46 +0000)]
cve-check: rewrite look to fix false negatives
A previous optimisation was premature and resulted in false-negatives in the report.
Rewrite the checking algorithm to first get the list of potential CVEs by
vendor:product, then iterate through every matching CPE for that CVE to
determine if the bounds match or not. By doing this in two stages we can know
if we've checked every CPE, instead of accidentally breaking out of the scan too
early.
Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Ross Burton [Mon, 18 Nov 2019 16:46:44 +0000 (16:46 +0000)]
cve-update-db-native: clean up proxy handling
urllib handles adding proxy handlers if the proxies are set in the environment,
so call bb.utils.export_proxies() to do that and remove the manual setup.
Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Unfortunately this change broke 'devtool upgrade' functionality,
causing 'devtool finish' to write out an upgraded recipe that no
longer includes the original upstream source in SRC_URI.
Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This is the second last release of py 2.x; upstream support ends on
1 January 2020, there will be one final 2.x afterwards.
Note that the only thing that still needs python 2.x in oe-core is
u-boot; when the next u-boot update arrives, we should find out
where the py3 migration is for that component before merging the
update.
Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Richard Purdie [Mon, 18 Nov 2019 15:44:21 +0000 (15:44 +0000)]
recipetool/create: Fix to work with reproducible_builds
The extra diretory created by reproducibile_builds was confusing recipetool
and hence devtool. Ignore this directory to restore the correct behaviour and
allow it to work with the class.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Paul Barker [Fri, 15 Nov 2019 13:00:48 +0000 (13:00 +0000)]
cdrtools-native: Don't set uid/gid during install
This is a native recipe so won't be installed as root.
If the string 'root' is part of the username then the install script
can get tricked into thinking we are root (regardless of the actual
uid or permissions) resulting in attempts to run chown/chgrp
inappropriately.
Signed-off-by: Paul Barker <paul@betafive.co.uk> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Alistair Francis [Thu, 14 Nov 2019 20:22:20 +0000 (12:22 -0800)]
mesa: Upgrade to 19.2.4
Upgrade mesa and mesa-gl to 19.2.4.
The license hash change was a trivial new line removal.
The glx-tls option was removed as it isn't included in the meson.build
file. It has been replaced with 'use-elf-tls' instead.
I have backported the asm removal as an attempt to fix the musl build
issue.
Signed-off-by: Alistair Francis <alistair@alistair23.me> Signed-off-by: Alistair Francis <alistair.francis@wdc.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Chee Yang Lee [Fri, 15 Nov 2019 01:58:48 +0000 (09:58 +0800)]
wic: rm with -r flag support
wic currently unable to remove non-empty directory in ext* partition.
enable wic rm to remove non-empty directory and all the sub-content
with -r flag.
update help documents for 'wic rm'.
[YOCTO #12404]
Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Kai Kang [Fri, 15 Nov 2019 07:42:02 +0000 (15:42 +0800)]
systemd: remove ${PN}-xorg-xinitrc
In 50-systemd-user.sh which is packaged to sub-package
${PN}-xorg-xinitrc, it exports environment variables DISPLAY and
XAUTHORITY to systemd. It fails to start systemd services which require
these environment variables such as thunar.service:
Nov 14 07:47:29 qemux86-64 systemd[352]: Starting Thunar file manager...
Nov 14 07:47:29 qemux86-64 Thunar[873]: cannot open display:
Nov 14 07:47:29 qemux86-64 systemd[352]: thunar.service: Main process exited, code=exited, status=1/FAILURE
Nov 14 07:47:29 qemux86-64 systemd[352]: thunar.service: Failed with result 'exit-code'.
Nov 14 07:47:29 qemux86-64 systemd[352]: Failed to start Thunar file manager.
It is not convenient to make all such kind of packages require package
${PN}-xorg-xinitrc, so remove the sub-package and merge the only file
provided by it to main package.
No recipe depends on ${PN}-xorg-xinitrc in oe-core and meta-openembedded
now, so no need to set rprovides for it.
Signed-off-by: Kai Kang <kai.kang@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
distro_features_check: expand with MACHINE_FEATURES and COMBINED_FEATURES, rename
Besides checking DISTRO_FEATURES for required or conflicting features,
being able to check MACHINE_FEATURES and/or COMBINED_FEATURES may also
be useful at times.
Temporarily support the old class name with a warning about future
deprecation.
Signed-off-by: Denys Dmytriyenko <denys@ti.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Paul Barker [Tue, 12 Nov 2019 22:10:03 +0000 (22:10 +0000)]
scripts/native-intercept: Add chgrp intercept
Some installation rules have been seen to run chgrp for native recipes
which leads to 'Operation not permitted' errors. To prevent this we
need a chgrp intercept script to go with the existing chown intercept.
Signed-off-by: Paul Barker <paul@betafive.co.uk> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Anuj Mittal [Wed, 13 Nov 2019 08:41:06 +0000 (16:41 +0800)]
libsdl2: fix race when building in parallel
Fixes a race where it tries to build version res file in build directory
before it has even been created. Prevents intermittent errors on
autobuilder when building for mingw:
| /bin/bash ../SDL2-2.0.10/build-scripts/updaterev.sh
| /bin/bash ../SDL2-2.0.10/build-scripts/mkinstalldirs build
| mkdir -p -- build
| x86_64-pokysdk-mingw32-windres --include-dir=/home/pokybuild/yocto-worker/meta-mingw/build/build/tmp/work/x86_64-nativesdk-mingw32-pokysdk-mingw32/nativesdk-libsdl2/2.0.10-r0/recipe-sysroot/opt/poky/3.0/sysroots/x86_64-pokysdk-mingw32/us
| /include ../SDL2-2.0.10/src/main/windows/version.rc build/version.o
| x86_64-pokysdk-mingw32-windres: build/version.o: No such file or directory
| Makefile:692: recipe for target 'build/version.o' failed
| make: *** [build/version.o] Error 1
| make: *** Waiting for unfinished jobs....
| touch build/.created
| WARNING: exit code 1 from a shell command.
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Yongxin Liu [Wed, 13 Nov 2019 06:48:55 +0000 (14:48 +0800)]
ltp: Add "udevadm trigger" before swap verification in mkswap01.sh
Swap verification sometimes fails due to race condition with udev.
This is a known issue: https://github.com/linux-test-project/ltp/issues/458.
"udevadm trigger" forces udev to sync up device events with kernel.
Signed-off-by: Yongxin Liu <yongxin.liu@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
sysstat: Correct when to use the package provided systemd unit files
There have been a number of changes back and forth as to when and how
to use the systemd unit files provided by the package. The correct
condition is actually that both cron and systemd need to be enabled
for them to be installed.
Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
In commit 8862f21e (sysstat: 12.1.3 -> 12.1.6), sa_lib_dir was changed
from "${libdir}/sa" to "${libexecdir}/sa" to avoid problems with
multilib. However, the systemd unit file was not changed accordingly,
which lead to the following error when trying to start the service:
systemd[4698]: sysstat.service: Failed at step EXEC spawning
/usr/lib/sa/sa1: No such file or directory
Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Joshua Watt [Wed, 13 Nov 2019 04:10:31 +0000 (22:10 -0600)]
mc: Fix build reproducibility
Fixes some issues with reproducible builds. Adds a patch to allow the
configure arguments to be omitted from the build and also explicitly
setting some autoconf paths that were picking up hosttools.
Signed-off-by: Joshua Watt <JPEWhacker@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Joshua Watt [Wed, 13 Nov 2019 21:24:00 +0000 (15:24 -0600)]
icecc-create-env: Use OE patchelf in SDK
The Icecream environment creation script runs when the SDK is installed
and uses patchelf to fix up executables. Rather than rely on the host
system to provided patchelf (which often can be older versions that
produce buggy executables), mark the OE version of patchelf as a
dependency of icecc-create-env when included in the SDK.
Signed-off-by: Joshua Watt <JPEWhacker@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Yeoh Ee Peng [Thu, 7 Nov 2019 09:50:30 +0000 (17:50 +0800)]
resulttool/store.py: Enable add extra test environment data
Enable the option to add extra test environment data to the
configuration of each test result (as optional).
Example of optional test environment data include:
- custom packages included for runtime test
- detail machine specification used as target
- detail host environment used for bitbake
Signed-off-by: Yeoh Ee Peng <ee.peng.yeoh@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Yeoh Ee Peng [Thu, 7 Nov 2019 09:50:28 +0000 (17:50 +0800)]
scripts/resulttool/report: Enable output raw test results
In case of debugging, report user need to acccess the raw
test result. Instead of going back to source file/directory/URL
to manually pull out the raw result, provide alternative
way to let report showing raw test results by providing
the result id (optional).
Signed-off-by: Yeoh Ee Peng <ee.peng.yeoh@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Yeoh Ee Peng [Thu, 7 Nov 2019 09:50:27 +0000 (17:50 +0800)]
scripts/resulttool/report: Enable report to use regression_map
By default, report will use the store_map to generate the key
to reference each result set. In some situation when using store_map
with multiple set of tests sharing similar test configurations,
the report will only showing partial result set for results
that having identical result_id (use of multiconfig to run tests
where it generate identical result_id).
Enable report to have the option to use the regression_map (optional)
instead of the default store_map, where it will take larger
set of configurations to generate the key to reference each
result set, this will prevent the report from only showing
partial result set.
Signed-off-by: Yeoh Ee Peng <ee.peng.yeoh@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Ross Burton [Thu, 7 Nov 2019 23:58:30 +0000 (23:58 +0000)]
cve-update-db-native: don't refresh more than once an hour
We already fetch the yearly CVE metadata and check that for updates before
downloading the full data, but we can speed up CVE checking further by only
checking the CVE metadata once an hour.
Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
buildhistory: fix "version went backwards" QA error message
Fix parentheses placement in the message from:
Package version for package X went backwards which would break package feeds from (Y to Z)
to this one:
Package version for package X went backwards which would break package feeds (from Y to Z)
Signed-off-by: Denys Dmytriyenko <denys@ti.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Haris Okanovic [Fri, 8 Nov 2019 21:46:31 +0000 (15:46 -0600)]
dhcp: Workaround busybox limitation in Linux dhclient-script
Busybox's implementation of chown and chmod doesn't provide a
"--reference" option used in the latest version of dhclient-script.
This change works around that limitation by using stat to read
ownership and permissions flags and simple chown/chmod calls
supported in both coreutils and busybox.
Patch submitted upstream to ISC, tracked as bug 48771.
Signed-off-by: Haris Okanovic <haris.okanovic@ni.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Trevor Gamblin [Sat, 9 Nov 2019 01:46:40 +0000 (20:46 -0500)]
python3-misc: add python3-audio to RDEPENDS
Import issues are encountered for the python3 aifc module,
on images with python3-misc installed:
|>>> import aifc
|Traceback (most recent call last):
|File "<stdin>", line 1, in <module>
|File "/usr/lib64/python3.7/aifc.py", line 254, in <module>
|from chunk import Chunk
|ModuleNotFoundError: No module named 'chunk'
|>>>
The chunk module is part of python3-audio. Add python3-audio
to RDEPENDS for python3-misc to fix the error.
Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
include ${@bb.utils.contains('PACKAGECONFIG', 'scripting', 'perf-perl.inc', '', d)}
1. "${...}" part expands into empty string
2. bb.utils.which() takes empty string and returns first directory name from bbpath
3. shutil.copy() fails on copying directory:
Exception: IsADirectoryError: [Errno 21] Is a directory: ......
Hence, check "incfile" variable on each step.
Signed-off-by: grygorii tertychnyi <gtertych@cisco.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Stefan Agner [Mon, 11 Nov 2019 13:36:26 +0000 (13:36 +0000)]
dbus: drop unused group netdev
The whole D-Bus source has no reference to the netdev group. It
seems that the netdev group is nowhere used. Early avahi package
versions used this group for the D-Bus specific rules. However,
today avahi uses --with-avahi-priv-access-group=adm and hence
uses the adm group for its D-Bus policy rules.
If a package is using the netdev group in its D-Bus policy rules,
that package should add the group instead.
Signed-off-by: Stefan Agner <stefan.agner@toradex.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Richard Purdie [Mon, 11 Nov 2019 13:20:42 +0000 (13:20 +0000)]
sqlite3: Drop pic as we no longer need the sqlite3 static lib
This was added in:
https://git.openembedded.org/openembedded-core/commit/?id=6a58e12d19c539deac9e90679a68438497a42fa4
but is no longer needed now pseudo doesn't use sqlite's static lib.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Richard Purdie [Fri, 8 Nov 2019 14:36:36 +0000 (14:36 +0000)]
pseudo: Drop static linking to sqlite3
Back in 2010[1] we made pseudo statically link against sqlite3. Since then
the world has changed, pseudo now has separate processes for the database
in the server and the client and they have separate linking commands.
Also, whilst there were concerns about needing specific versions of sqlite3,
in the OE environment, this is always the case.
The static sqlite3-native is causing us problems, in particular:
tmp/work/x86_64-linux/pseudo-native/1.9.0+gitAUTOINC+060058bb29-r0/recipe-sysroot-native/usr/lib/libsqlite3.a(sqlite3.o):(.data.rel+0xb0): undefined reference to `fcntl64'
which occurs if sqlite3-native was built on a machine with glibc 2.28 or later
and pseudo-native is being built on glibc before that. With dyanmical linking,
libc is backwards compatible and works but with static linking it does not.
There appears to be no easy way to avoid this other than adding a copy of
sqlite3 into the pseudo recipe. Given the static linking doesn't seem to
be required any longer due to the separate processes, drop that to fix
those issues.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Jacob Kroon [Thu, 7 Nov 2019 15:35:15 +0000 (16:35 +0100)]
rm_work: Simplify logic for setscene promotion
* Instead of overwriting the stamp name with 'dummy', handle
setscene promotion in the default case block
* Merge '*do_image_complete_setscene*' and '*do_image_qa_setscene*'
case handling
Signed-off-by: Jacob Kroon <jacob.kroon@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
- Replacing TUNE_FEATURES from aarch64 to armv8a will solve the above
build issue.
- Changed BASE_LIB to 'lib', as cortex-a32 is a 32bit ARMv8a architecture.
The sample machine config file (qemuarma32.conf) used to reproduce
the error looks like:
Mikko Rapeli [Thu, 7 Nov 2019 13:39:11 +0000 (15:39 +0200)]
harfbuzz: split libharfbuzz-subset.so to its own binary package
harfbuzz binary package size increased from 624608 bytes in yocto 2.5 to 1365431 bytes in yocto 3.0. Most of the size increase is in the new
libharfbuzz-subset.so* library
https://harfbuzz.github.io/utilities.html#utilities-command-line-hbsubset
Split it to its own binary package which will be installed if anyone needs it.
Effect to harfbuzz binary package size is:
Haris Okanovic [Thu, 7 Nov 2019 22:07:36 +0000 (16:07 -0600)]
meta/lib/oe/package_manager.py: Enable sha256 checksums in opkg indexer
Pass `--checksum md5` and `--checksum sha256` to opkg-make-index.
Sha256 checksum enables more reliable install-time validation of IPKs.
This is particularly useful when installing from signed feeds --
I.e. feeds using signed Packages index files that deliver otherwise
unsigned IPKs. Such feeds rely on hash validation of enclosed IPKs to
thwart tampering. After download, opkg verifies IPK's checksum against
the (signed) Packages index file. Weak hashes like md5 are prone to
collision and therefore tampering.
The md5 checksum is purely for backward compatibility. Sha256 validation
was recently added to opkg. Newer builds of opkg will use it. Older
builds still look for an md5 checksum. Md5 is deprecated and should be
removed once old build are phased out.
Testing: I ran `bitbake package-index` after building a few IPKs and
verified MD5Sum and SHA256sum attributes are present in Packages.
Using opkg-utils 0.4.0.
Performance Impact: It takes about 40 seconds to cleanly re-index 8000
IPKs on an Intel Xeon E5-1620 machine. This was previously about
20 seconds.
NOTE: It's recommended to delete all Packages* files after applying this
patch. Otherwise, some IPKs won't have sha256.
Signed-off-by: Haris Okanovic <haris.okanovic@ni.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Haris Okanovic [Thu, 7 Nov 2019 22:04:21 +0000 (16:04 -0600)]
opkg: RDEPEND "gnupg-gpg" instead of "gnupg"
gnupg-gpg is a minimal installation of gnupg with enough functionality
to verify signatures and manage keys. Use this package instead of full
gnupg to slim down opkg installations with "--enable-gpg".
Signed-off-by: Haris Okanovic <haris.okanovic@ni.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Haris Okanovic [Thu, 7 Nov 2019 22:04:19 +0000 (16:04 -0600)]
gnupg: Split gpg and gpg-agent into a minimal gnupg-gpg package
Add minimal "gnupg-gpg" package containing just enough binaries to run
gpg and gpg-agent. Add dependency in normal "gnupg" package to preserve
old behavior.
Some applications like opkg don't need all functionality provided by
normal gnupg installations. This minimal package provides just enough
functionality to verify and manage keys in opkg, in order to minimize
disk overhead.
Signed-off-by: Haris Okanovic <haris.okanovic@ni.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
André Draszik [Thu, 7 Nov 2019 15:36:39 +0000 (15:36 +0000)]
libevent: update packaging (one package per shared library)
libevent produces several libraries that might or might not
be used in the end. We can prevent those potentially unused
libraries from being pulled into a file-system by splitting
the individual shared libraries into individual packages.
Because this recipe only provides shared libraries which are
handled automatically by bitbake (shlibs), there is no need
to add the subpackages to the RDEPENDS of PN for backwards
compatibility. The packaging process of dependees will
simply pull in the sub-packages as runtime dependency as
needed.
This also how Debian splits this up.
While updating the packaging, we can also drop event_rpcgen.py
which appears to be a tool for generating rpc bindings, i.e.
something that should normally be in -dev. Given Debian
doesn't package this at all, and given it actually requires
python to run but no runtime dependency is stated at the
moment, it would appear that no users of this exist.
Signed-off-by: André Draszik <git@andred.net> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Haris Okanovic [Thu, 7 Nov 2019 19:24:54 +0000 (13:24 -0600)]
initscripts/sysfs.sh: Mount /sys/firmware/efi/efivars when possible
Without this change, efibootmgr is unable to recover BootOrder if lost
during a previous write operation, e.g. exceeded storage capacity. This
is problematic using EFI to manage boot flow from Linux (E.g. via RAUC).
