Stefan Agner [Fri, 22 Nov 2019 16:24:41 +0000 (16:24 +0000)]
rpcbind: use upstream systemd service
Use upstream systemd service files instead of our own service files.
This also makes sure that /run/rpcbind.sock is used which fixes the
following systemd warning:
/usr/lib/systemd/system/rpcbind.socket:5: ListenStream= references a
path below legacy directory /var/run/, updating /var/run/rpcbind.sock
\xe2\x86\x92 /run/rpcbind.sock; please update the unit file accordingly.
Signed-off-by: Stefan Agner <stefan.agner@toradex.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Stefan Ghinea [Thu, 21 Nov 2019 15:28:04 +0000 (17:28 +0200)]
ghostscript: CVE-2019-14869
A flaw was found in all versions of ghostscript 9.x before 9.28,
where the `.charkeys` procedure, where it did not properly secure
its privileged calls, enabling scripts to bypass `-dSAFER` restrictions.
An attacker could abuse this flaw by creating a specially crafted
PostScript file that could escalate privileges within the Ghostscript
and access files outside of restricted areas or execute commands.
Wenlin Kang [Tue, 5 Nov 2019 10:04:20 +0000 (18:04 +0800)]
sysstat: remove check for chkconfig
For cross-platform, chkconfig can't work, so should remove check for it.
This can only be reproduced on some platform with chkconfig(e.g. CentOS
Linux release 7.2.1511), and need with --enable-install-cron and without
--enable-copy-only.
Fixed:
| if [ "n" == "n" ]; then \
| if [ -x "/usr/sbin/chkconfig" ]; then \
| cd /path/to/tmp/work/corei7-64-wrs-linux/sysstat/11.1.5-r0/image/etc/rc.d/init.d && /usr/sbin/chkconfig --add sysstat; \
| else \
| [ -d /path/to/tmp/work/corei7-64-wrs-linux/sysstat/11.1.5-r0/image/etc/rc.d/rc2.d ] || mkdir -p /path/to/tmp/work/corei7-64-wrs-linux/sysstat/11.1.5-r0/image/etc/rc.d/rc2.d; \
| [ -d /path/to/tmp/work/corei7-64-wrs-linux/sysstat/11.1.5-r0/image/etc/rc.d/rc3.d ] || mkdir -p /path/to/tmp/work/corei7-64-wrs-linux/sysstat/11.1.5-r0/image/etc/rc.d/rc3.d; \
| [ -d /path/to/tmp/work/corei7-64-wrs-linux/sysstat/11.1.5-r0/image/etc/rc.d/rc5.d ] || mkdir -p /path/to/tmp/work/corei7-64-wrs-linux/sysstat/11.1.5-r0/image/etc/rc.d/rc5.d; \
| cd /path/to/tmp/work/corei7-64-wrs-linux/sysstat/11.1.5-r0/image/etc/rc.d/rc2.d && ln -s -f ../init.d/sysstat S01sysstat; \
| cd /path/to/tmp/work/corei7-64-wrs-linux/sysstat/11.1.5-r0/image/etc/rc.d/rc3.d && ln -s -f ../init.d/sysstat S01sysstat; \
| cd /path/to/tmp/work/corei7-64-wrs-linux/sysstat/11.1.5-r0/image/etc/rc.d/rc5.d && ln -s -f ../init.d/sysstat S01sysstat; \
| fi \
| fi \
| elif [ -d /path/to/tmp/work/corei7-64-wrs-linux/sysstat/11.1.5-r0/image/etc/rc.d ]; then \
| ...
| fi
| error reading information on service sysstat: No such file or directory
| Makefile:382: recipe for target 'install_all' failed
Signed-off-by: Wenlin Kang <wenlin.kang@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com>
Ross Burton [Fri, 17 Nov 2017 20:19:32 +0000 (20:19 +0000)]
texi2html: remove
The last user of this obsolete recipe (abandoned upstream in 2010, removed from
oe-core build dependencies in 2012) has now been deleted from oe-core, so delete
the recipe too.
Signed-off-by: Ross Burton <ross.burton@intel.com>
Ross Burton [Tue, 19 Nov 2019 20:38:24 +0000 (20:38 +0000)]
packagegroup-core-sdk: remove intltool
Intltool is deprecated these days, as gettext can handle almost everything
intltool could. Remove it from the SDK packagegroups, if it is needed then the
user can add it explicitly.
Signed-off-by: Ross Burton <ross.burton@intel.com>
The homepage: https://www.kernel.org/doc/man-pages/download.html
specifies that the latest tarballs are published one level up
from where we currently take them.
Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com> Signed-off-by: Ross Burton <ross.burton@intel.com>
Alex Kube [Fri, 25 Oct 2019 19:19:15 +0000 (23:49 +0430)]
go: Extract common environment setup.
Add default values for go environment variables to go-common.inc.
Override where appropriate in other go*.inc files, and use
host/target tuples from goarch for setting CC flags.
Signed-off-by: Alex Kube <alexander.j.kube@gmail.com> Signed-off-by: Ross Burton <ross.burton@intel.com>
Richard Purdie [Fri, 22 Nov 2019 15:12:44 +0000 (15:12 +0000)]
package_ipk: Remove pointless comment to trigger rebuild
The opkg-utils change didn't trigger a full repackage due to its mention
in layer.conf for update-alternatives hash exclusion. Do it manually
to invalidate broken ipks.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Richard Purdie [Thu, 21 Nov 2019 14:59:06 +0000 (14:59 +0000)]
sanity: Add check for tar older than 1.28
Older versions break opkg-build when reproducible builds are enabled.
Rather than trying to be selective based on which features are enabled,
lets just make this a minimum version.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
opkg-build was failing on hosts where tar < 1.28 and reproducibile builds
were enabled but it was doing this silently and generating corrupted
(empty) ipk files. Add a fix for this (submitted upstream).
The fix requires bash but if you're building ipk files this shoudn't be
a problem.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Paul Eggleton [Tue, 19 Nov 2019 10:52:52 +0000 (23:52 +1300)]
devtool: fix devtool upgrade with reproducible_builds class
If the reproducible_build class is inherited then there may be a
"source-date-epoch" subdirectory in a fetched source tree; devtool
upgrade was not expecting that in the upgraded source. Take a small
snippet of code from recipetool create which already handles this,
and make it a shared function that can be used in both places.
Additionally, fix an assumption that the source is always in a
subdirectory in the cleanup code that blocked debugging this.
[YOCTO #13635]
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Ross Burton [Mon, 18 Nov 2019 16:46:47 +0000 (16:46 +0000)]
cve-check: fetch CVE data once at a time instead of in a single call
This code used to construct a single SQL statement that fetched the NVD data for
every CVE requested. For recipes such as the kernel where there are over 2000
CVEs to report this can hit the variable count limit and the query fails with
"sqlite3.OperationalError: too many SQL variables". The default limit is 999
variables, but some distributions such as Debian set the default to 250000.
As the NVD table has an index on the ID column, whilst requesting the data
CVE-by-CVE is five times slower when working with 2000 CVEs the absolute time
different is insignificant: 0.05s verses 0.01s on my machine.
Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Ross Burton [Mon, 18 Nov 2019 16:46:45 +0000 (16:46 +0000)]
cve-check: rewrite look to fix false negatives
A previous optimisation was premature and resulted in false-negatives in the report.
Rewrite the checking algorithm to first get the list of potential CVEs by
vendor:product, then iterate through every matching CPE for that CVE to
determine if the bounds match or not. By doing this in two stages we can know
if we've checked every CPE, instead of accidentally breaking out of the scan too
early.
Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Ross Burton [Mon, 18 Nov 2019 16:46:44 +0000 (16:46 +0000)]
cve-update-db-native: clean up proxy handling
urllib handles adding proxy handlers if the proxies are set in the environment,
so call bb.utils.export_proxies() to do that and remove the manual setup.
Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Unfortunately this change broke 'devtool upgrade' functionality,
causing 'devtool finish' to write out an upgraded recipe that no
longer includes the original upstream source in SRC_URI.
Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This is the second last release of py 2.x; upstream support ends on
1 January 2020, there will be one final 2.x afterwards.
Note that the only thing that still needs python 2.x in oe-core is
u-boot; when the next u-boot update arrives, we should find out
where the py3 migration is for that component before merging the
update.
Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Richard Purdie [Mon, 18 Nov 2019 15:44:21 +0000 (15:44 +0000)]
recipetool/create: Fix to work with reproducible_builds
The extra diretory created by reproducibile_builds was confusing recipetool
and hence devtool. Ignore this directory to restore the correct behaviour and
allow it to work with the class.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Paul Barker [Fri, 15 Nov 2019 13:00:48 +0000 (13:00 +0000)]
cdrtools-native: Don't set uid/gid during install
This is a native recipe so won't be installed as root.
If the string 'root' is part of the username then the install script
can get tricked into thinking we are root (regardless of the actual
uid or permissions) resulting in attempts to run chown/chgrp
inappropriately.
Signed-off-by: Paul Barker <paul@betafive.co.uk> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Alistair Francis [Thu, 14 Nov 2019 20:22:20 +0000 (12:22 -0800)]
mesa: Upgrade to 19.2.4
Upgrade mesa and mesa-gl to 19.2.4.
The license hash change was a trivial new line removal.
The glx-tls option was removed as it isn't included in the meson.build
file. It has been replaced with 'use-elf-tls' instead.
I have backported the asm removal as an attempt to fix the musl build
issue.
Signed-off-by: Alistair Francis <alistair@alistair23.me> Signed-off-by: Alistair Francis <alistair.francis@wdc.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Chee Yang Lee [Fri, 15 Nov 2019 01:58:48 +0000 (09:58 +0800)]
wic: rm with -r flag support
wic currently unable to remove non-empty directory in ext* partition.
enable wic rm to remove non-empty directory and all the sub-content
with -r flag.
update help documents for 'wic rm'.
[YOCTO #12404]
Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Kai Kang [Fri, 15 Nov 2019 07:42:02 +0000 (15:42 +0800)]
systemd: remove ${PN}-xorg-xinitrc
In 50-systemd-user.sh which is packaged to sub-package
${PN}-xorg-xinitrc, it exports environment variables DISPLAY and
XAUTHORITY to systemd. It fails to start systemd services which require
these environment variables such as thunar.service:
Nov 14 07:47:29 qemux86-64 systemd[352]: Starting Thunar file manager...
Nov 14 07:47:29 qemux86-64 Thunar[873]: cannot open display:
Nov 14 07:47:29 qemux86-64 systemd[352]: thunar.service: Main process exited, code=exited, status=1/FAILURE
Nov 14 07:47:29 qemux86-64 systemd[352]: thunar.service: Failed with result 'exit-code'.
Nov 14 07:47:29 qemux86-64 systemd[352]: Failed to start Thunar file manager.
It is not convenient to make all such kind of packages require package
${PN}-xorg-xinitrc, so remove the sub-package and merge the only file
provided by it to main package.
No recipe depends on ${PN}-xorg-xinitrc in oe-core and meta-openembedded
now, so no need to set rprovides for it.
Signed-off-by: Kai Kang <kai.kang@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
distro_features_check: expand with MACHINE_FEATURES and COMBINED_FEATURES, rename
Besides checking DISTRO_FEATURES for required or conflicting features,
being able to check MACHINE_FEATURES and/or COMBINED_FEATURES may also
be useful at times.
Temporarily support the old class name with a warning about future
deprecation.
Signed-off-by: Denys Dmytriyenko <denys@ti.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Paul Barker [Tue, 12 Nov 2019 22:10:03 +0000 (22:10 +0000)]
scripts/native-intercept: Add chgrp intercept
Some installation rules have been seen to run chgrp for native recipes
which leads to 'Operation not permitted' errors. To prevent this we
need a chgrp intercept script to go with the existing chown intercept.
Signed-off-by: Paul Barker <paul@betafive.co.uk> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Anuj Mittal [Wed, 13 Nov 2019 08:41:06 +0000 (16:41 +0800)]
libsdl2: fix race when building in parallel
Fixes a race where it tries to build version res file in build directory
before it has even been created. Prevents intermittent errors on
autobuilder when building for mingw:
| /bin/bash ../SDL2-2.0.10/build-scripts/updaterev.sh
| /bin/bash ../SDL2-2.0.10/build-scripts/mkinstalldirs build
| mkdir -p -- build
| x86_64-pokysdk-mingw32-windres --include-dir=/home/pokybuild/yocto-worker/meta-mingw/build/build/tmp/work/x86_64-nativesdk-mingw32-pokysdk-mingw32/nativesdk-libsdl2/2.0.10-r0/recipe-sysroot/opt/poky/3.0/sysroots/x86_64-pokysdk-mingw32/us
| /include ../SDL2-2.0.10/src/main/windows/version.rc build/version.o
| x86_64-pokysdk-mingw32-windres: build/version.o: No such file or directory
| Makefile:692: recipe for target 'build/version.o' failed
| make: *** [build/version.o] Error 1
| make: *** Waiting for unfinished jobs....
| touch build/.created
| WARNING: exit code 1 from a shell command.
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Yongxin Liu [Wed, 13 Nov 2019 06:48:55 +0000 (14:48 +0800)]
ltp: Add "udevadm trigger" before swap verification in mkswap01.sh
Swap verification sometimes fails due to race condition with udev.
This is a known issue: https://github.com/linux-test-project/ltp/issues/458.
"udevadm trigger" forces udev to sync up device events with kernel.
Signed-off-by: Yongxin Liu <yongxin.liu@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
