Software layers were previously allowed to change signatures, but
that's not desired for those layers either. The rule that a layer
which is "Yocto Compatible 2.0" must not change signatures unless
explicitly requested holds for all kinds of layers.
However, as this is something that software layers might not be able
to do right away, testing for signature changes in software layers can
be disabled. It's on by default, as that was Richard's
recommendation. Whether that should change needs further discussion as
part of finalizing "Yocto Compatible 2.0".
As it might still change, the tool now has both a with/without
parameter so that users of the tool can choose the desired behavior
without being affected by future changes to the default.
(From OE-Core rev: e4dce65ce604a74da0f09ee2742cf8b13cf96c8e)
Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The "test_signatures" test ignored a broken world build when getting
signatures, but the code which then tried to analyze a difference
found by the test didn't, which prevented printing the difference.
(From OE-Core rev: f2190e7e81f86735510c6ab10d3ac781146113f9)
Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
add_layer_dependencies() might get called more than once, or one of
the layer dependencies might already be present. The function should
not add layers again because doing so can cause warnings like:
WARNING: Duplicate inclusion for .../meta-openembedded/meta-oe/conf/distro/include/meta_oe_security_flags.inc in .../meta-openembedded/meta-oe/conf/layer.conf
(From OE-Core rev: 9821cec1ca52deee444ae3ff14dc548c8312ba3c)
Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This patch is generic enough, That it can be applied universally
and makes maintainence easier
(From OE-Core rev: 2df99a0cddf60944ee9e5065d693cea03f5e93b3)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
(cherry picked from commit f769b8389091b4ffaff8f6f8fc7e53462ce176a5)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Currently, the qemu CPUs for are specified as generic, but the built
artifacts are not. For example, we build x86-64 artifacts targeting
core2duo but run them in qemu with generic qemu/kvm CPUs. This causes
some packages that take advantage of the host architecture to crash
because they try to use CPU features not advertised by qemu. As an
example, Qt uses ssse3. When artifacts linked against Qt and built
targeting core2duo attempt to run on a generic qemu/kvm CPU, we get
the following crash:
Incompatible processor. This Qt build requires the following features:
ssse3
We could fix this by making packages like Qt not take advantage of CPU
features. However, we will probably keep facing similar issues over
time, so it's better to resolve them in a more enduring way.
Fix this by making the qemu -cpu arguments match the built artifacts.
(From OE-Core rev: 20b3574749420a1fef2cb2e0579584453dd4c5c5)
(From OE-Core rev: d945678264ba31dccb5b1dec973e8f3a58403ea2)
Signed-off-by: Martin Kelly <mkelly@xevo.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
So that:
1) dnf does not complain anymore about releasever not being set and then fail
for the same reason;
2) it's possible to refer to $releasever in dnf package feed configuration
(repo paths in particular) without hardconding the release name (pyro, morty, etc.)
(From OE-Core rev: 789e3fc225adbb61f10aaa3bbc3677856f5f0238)
(From OE-Core rev: 5a97694767c76f3083e9ffeeaaa19d76ff424c83)
Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Remove the check_whence.py script since it is only needed to validate
the WHENCE file, and only if explicitly running `make check`.
(From OE-Core rev: 1fc4d5a31f05970d8d80b0106ea81d486f298e33)
(From OE-Core rev: a933bd65e7a02e1faa9dc83c04cefd8205f05421)
Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The modern version of zone.tab is required by tzselect e.g.
(From OE-Core rev: de467998ecfa5fa1d2e9dd43a4a3d828cf9ccade)
(From OE-Core rev: c92a783a2d42a6248fc0b982889a9cdc53e6ccd3)
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Fix type confusion in xmlValidateOneNamespace
Comment out code that casts xmlNsPtr to xmlAttrPtr. ID types
on namespace declarations make no practical sense anyway.
Fixes bug 780228
CVE: CVE-2017-0663
(From OE-Core rev: a965be7b6a1d730851b4a3bc8fd534b9b2334227)
(From OE-Core rev: e442e7105ba39ddaed0749614b5ee552f9df2d5a)
Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Fix handling of parameter-entity references
There were two bugs where parameter-entity references could lead to an
unexpected change of the input buffer in xmlParseNameComplex and
xmlDictLookup being called with an invalid pointer.
Fixes bug 781205 and bug 781361
CVE: CVE-2017-9049 CVE-2017-9050
(From OE-Core rev: 2300762fef8fc8e3e56fb07fd4076c1deeba0a9b)
(From OE-Core rev: a409c50a09b12caa434b2b06bdcfb6beba43f67f)
Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
xmlSnprintfElementContent failed to correctly check the available
buffer space in two locations.
Fixes bug 781333 and bug 781701
CVE: CVE-2017-9047 CVE-2017-9048
(From OE-Core rev: bb0af023e811907b4e641b39f654ca921ac8794a)
(From OE-Core rev: d549b8f3836b2ffda5c59a7ae4d955846c558646)
Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
It's possible for tasks to stage symlinks that point to non-existent
files; an example is ncurses-native.do_populate_sysroot. There wasn't
any error checking here so this broke the build when "task" was included
in BUILDHISTORY_FEATURES. In any case we shouldn't be following symlinks
and getting the sha256sum of the link target - we need concern ourselves
only with the target path, so check if the file is a link and sha256 the
target path instead if it is. If it's neither a regular file nor a
symlink (perhaps a pipe or a device), just skip it.
(From OE-Core rev: f60520d97f53dafe783f61eb58fe249798a1e1be)
(From OE-Core rev: 66a0d184d8f55a8da03de9fedb18d166b80b198b)
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
tcf-agent ignores SIGTERM, so upstream uses USR2 instead. This issue was noticed
by Jan Kiszka and Brian Avery around the same time:
https://patchwork.openembedded.org/patch/139546/https://patchwork.openembedded.org/patch/139560/
However, these patches fixed only the init scripts, not the systemd service
file. This patch fixes the systemd file.
(From OE-Core rev: 4f8ed1b3bf676a58055ebe01184b3594459a4118)
(From OE-Core rev: a8d25315baf3226e2213e1cfba1d7023ec02a401)
Signed-off-by: Martin Kelly <mkelly@xevo.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The upstream init script uses SIGUSR2 to terminate that daemon because
SIGTERM is ignored. As the killproc function does not support specifying
a signal, switch to start-stop-daemon. Drop the retry loop because
SIGUSR2 is lethal for agent.
(From OE-Core rev: b27d804dd0cbce3e4ed43e7fdfcc4e12c141e78d)
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
In libgcrypt before 1.7.7, an attacker who learns the EdDSA session key (from
side-channel observation during the signing process) can easily recover the
long-term secret key. 1.7.7 makes a cipher/ecc-eddsa.c change to store this
session key in secure memory, to ensure that constant-time point operations are
used in the MPI library.
(From OE-Core rev: 6039dbfd981830b5406c25a27ccfae0e5ed016e8)
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
mkefidsk currently writes a startup.nsh with embedded control characters.
This happens because \b etc are control sequences to the shell echo
command when using dash. The resulting startup.nsh causes the bootup
to fail, and the user is dropped into the EFI shell to manually run
startup.nsh.
Patch originally provided by Troy D. Hanson <troy.hanson@jhuapl.edu>
[YOCTO #9665]
(From OE-Core rev: 359722a86580128aeccd05531eff0da4e6971721)
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 008d6cb5bb4969f53a228893c502be8c9420ecb0)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The secondary EFI partition is used when booting in EFI mode, and
without the configuration data we don't get any boot targets.
Partial fix to [YOCTO #11503].
(From OE-Core master rev: 84aa7a00810e135fdad3f77bdb1da7d1f5fb8627)
(From OE-Core rev: 915b01258ef426392bb9052c345f952670db4450)
Signed-off-by: California Sullivan <california.l.sullivan@intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* since this commit:
commit f5a1013ffa9815f22e13989e2bcb83f966e7ce2c
Author: Ross Burton <ross.burton@intel.com>
Date: Tue Apr 18 16:19:12 2017 +0100
package_manager: don't race on a file when installing complementary
packages
the file isn't closed before oe-pkgdata-util uses it and this
temporary file might look empty to oe-pkgdata-util, because it
wasn't flushed yet. Which resulted in almost empty debugfs tarballs
and no locale packages in regular rootfs.
* without this change:
124K May 30 07:41 core-image-full-cmdline-raspberrypi3-64-20170530054003-dbg.rootfs.tar.gz
* with this change:
173M May 30 07:29 core-image-full-cmdline-raspberrypi3-64-20170530052715-dbg.rootfs.tar.gz
(From OE-Core rev: 9b34200048b3d2b477a19b7ddc8d447f873adbb2)
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 877d38db08aa7060d16405443cf70539c559fe82)
Signed-off-by: Anders Darander <anders@chargestorm.se>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
If building for nativesdk the wrong rss sysroot is used leading the
following error message.
| ERROR: oe_runmake failed
| In file included from tools/imximage.c:13:0:
| include/image.h:1024:27: fatal error: openssl/evp.h: No such file or directory
| # include <openssl/evp.h>
Tools needed on the build host (script/basic/fixdep) and code compiled
for the SDK machine are both built with the build host's compiler,
leading to additinal errors.
Adding CROSS_COMPILE="${HOST_PREFIX}" and using the cross-compiler for
the SDK_ARCH fixes the build error.
The resulting binary in the SDK is working.
(From OE-Core rev: aab5311f3ad9fb9f9e26b18b5fe5e54d8ec14798)
Signed-off-by: Max Krummenacher <max.krummenacher@toradex.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This clearly wasn't tested as the correct variable is ASSUME_PROVIDED.
This reverts commit 91cee06433.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The code in these two functions is meant to be equivlanet in behaviour
but isn't. Add in code to ensure files that don't exist are handled
consistently by both functions. Users did report being able to generate
tracebacks otherwise.
(Bitbake rev: 1b66c57d0f8a9bd9f9feb2a85759e18d9a1d674b)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Ensure that when an item fetched from a premirror has an invalid checksum the
fetcher falls back to the usual logic of trying the upstream and any configured
mirrors.
(Bitbake rev: cc52b9b12c60810142252b9cb5d4268e42371b8e)
Signed-off-by: Joshua Lock <joshua.g.lock@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
I discovered a mis-placed block of DocBook text that was
causing the string "bug-id" to appear in a random spot in the
"Patch Submission Details" section. Re-ording this block
fixed the problem.
(From yocto-docs rev: 92616f73ce31505e11f3193b1350acc875003649)
Signed-off-by: Scott Rifenbark <srifenbark@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
For development purposes, static libraries need to be
present only in the SDK. We do not need those static
libraries in the image for most scenarios. So, replace
IMAGE_INSTALL with TOOLCHAIN_TARGET_TASK in the documentation.
I updated the note to reflect this.
Suggested-by: Maxin B. John <maxin.john@intel.com>
(From yocto-docs rev: fd17ac96a44d08f7f2798e69cd923e0726a0754a)
Signed-off-by: Scott Rifenbark <srifenbark@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Fixes [YOCTO #11579]
I made some corrections by taking out the fact that BitBake
issues a warning or error if any version mismatches are found.
(From yocto-docs rev: e037858b95a97699c110be3b091db06633c9c44a)
Signed-off-by: Scott Rifenbark <srifenbark@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
poky.ent - updated variables for 2.3.1
mega-manual.sed - exchanged "2.3.1" for "2.3" for links
<manual>.xml - updated manual revision tables to use
"June 2017" as the release date for 2.3.1
(From yocto-docs rev: 01d60d08a0c7371b8f7476f45fca89226caec680)
Signed-off-by: Scott Rifenbark <srifenbark@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Fixes [YOCTO #11600]
Removed the example. It was not needed.
(From yocto-docs rev: e3610147535c259c49c3dc08289c037ba49c48a1)
Signed-off-by: Scott Rifenbark <srifenbark@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Fixes [YOCTO #11411]
Added a naming convention warning to the native.bbclass description
that is similar to the existing warning used in the description for
the nativesdk.bbclass.
(From yocto-docs rev: ece69399decb54045c974e9e537286eb820fde61)
Signed-off-by: Scott Rifenbark <srifenbark@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Fixes [YOCTO #11600]
"configure" and "cmake" are not do_* tasks of BitBake. I updated
the formatting of these programs and removed links that were to
the tasks in the reference manual.
(From yocto-docs rev: a53d766976ec77a2706014d114bef698d3b6f710)
Signed-off-by: Scott Rifenbark <srifenbark@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The figure that Scott Garman used for an old video cast is
much more appealing to the eye than the giant, square beast
the current manual was using. I have replaced the image.
The image is technically the same.
Because the mega-manual has to use a duplicate figure, I
put the new PNG files in the Figures directory for both the
yocto-project-qs and mega-manual books.
(From yocto-docs rev: 10985cadfecea0096412df049b3457bc0297c4bf)
Signed-off-by: Scott Rifenbark <srifenbark@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The YP doc set was using a link to an out-dated video that
showed how to configure and run Eclipse. The video was very
old and Jessica suggested just removing it. So, I replaced
all occurrences of the link to the up-to-date appendix in the
SDK manual that provides information on the latest supported
version of the Eclipse IDE.
(From yocto-docs rev: a414addb427337dc76a05cf3f56bf8aeec1a7c1b)
Signed-off-by: Scott Rifenbark <srifenbark@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The link to the section on how to set up Eclipse had been broken
for a while. I fixed the link so that it goes to the appropriate
section (appendix) in the SDK manual.
(From yocto-docs rev: ab2af9c0b237285c6989832db306a42957a6187d)
Signed-off-by: Scott Rifenbark <srifenbark@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Fixes [YOCTO #11579]
Added a new description for the LAYERRECOMMENDS variable.
(From yocto-docs rev: 207c69e218507b384dbd017367dfe392fd45296e)
Signed-off-by: Scott Rifenbark <srifenbark@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Fixes [YOCTO #11579]
The syntax for specifying a layer version was incorrect. I
have added an explanation for the correct syntax and provided
an example.
(From yocto-docs rev: 83c97473defbbac35ebca81f4ef69289f3dd8789)
Signed-off-by: Scott Rifenbark <srifenbark@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Fixes [YOCTO #9001]
Updated the image-live class description to specifically mention
creating *.iso and *.hddimg images as "live" images. Provided more
explanation about usage through the NOISO and NOHDD variables.
Also, provided a cross-referencing link back to the updated
image-live class from the EFI_PROVIDERS variable.
(From yocto-docs rev: 10c81adc26bd0a7a8952eb362f958f92566d42db)
Signed-off-by: Scott Rifenbark <srifenbark@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>