It is a small version of gpg which can only verify signatures. It
should be installable on its own. This matches the behaviour of
the gnupg 1.4 recipe, which was removed recently.
Signed-off-by: Andreas Oberritter <obi@opendreambox.org>
package_manager/deb: let apt-get handle postinst scripts
With all required environment variables and configuration options in
apt.conf in place, apt-get is able to install packages offline, i.e.
when creating the rootfs, including the execution of postinst scripts
and updating the package database. This is new behaviour.
At the time the deleted code would have executed, its work was already
done by apt-get.
Signed-off-by: Andreas Oberritter <obi@opendreambox.org>
connman: Simplify and fix packaging of VPN plug-ins
- Use simple static packaging.
- Move VPN runtime dependencies from connman to the individual plug-ins.
- Create a connmann-ppp package containing libppp-plugin.so, which is
a shared library needed by l2tp and pptp plug-ins.
- Let connman suggest VPN packages instead of recommending them, so they
don't get installed by default.
- Remove unknown configure options (--with-pptp --with-l2tp)
Signed-off-by: Andreas Oberritter <obi@opendreambox.org>
Paul Barker [Sat, 23 May 2020 19:16:06 +0000 (20:16 +0100)]
avahi: Don't advertise example services by default
The example service files are placed into /etc/avahi/services when we
run `make install` for avahi. This results in ssh and sftp-ssh services
being announced by default even if no ssh server is installed in an
image.
These example files should be moved away to another location such as
/usr/share/doc/avahi (taking inspiration from Arch Linux).
Signed-off-by: Paul Barker <pbarker@konsulko.com> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
1. They need to be run under regular user.
2. Some tests genuinely need more time than 30 seconds
3. The Makefile patch erroneously introduced a test-breaking change.
Richard Purdie [Wed, 13 May 2020 15:24:50 +0000 (10:24 -0500)]
sstatesig: Optimise get_taskhash for hashequiv
With hashequiv the get_taskhash function is called much more regularly
and contains expensive operations. This these don't change based upon
hash in a given build, improve the caching within the function to
reduce overhead.
Richard Purdie [Sat, 25 Apr 2020 21:20:11 +0000 (22:20 +0100)]
targetcontrol: Fix leaking log handler
We had a mystery failure on the autobuilder where runqemu appeared to
be failing as a logfile directory no longer existed. The key to
reproducing was running a runqemu where the image was deleted (as
devtool does), then running another runqemu test. E.g.:
Richard Purdie [Fri, 24 Apr 2020 12:23:27 +0000 (13:23 +0100)]
oeqa/qemurunner: Clean up failure handling
If you fail to setup the tap devices, runqemu will error quickly
however stdout/stderr are not shown to the user, instead a SystemExit
traceback is shown. This could explain some long since unexplained
failures on the autobuilder.
Rework the error handling so SystemExit isn't used and the
standard log failure messages can be shown. The code could
likely ultimatley need some restructuring to work effectively.
This error handling didn't work as expected since upon failure it would
inject bytestreams back into the code leading to tracebacks.
Instead, ignore the decode errors. Fixes:
Traceback (most recent call last):
File "/home/pokybuild/yocto-worker/a-full/build/scripts/resulttool", line 78, in <module>
sys.exit(main())
File "/home/pokybuild/yocto-worker/a-full/build/scripts/resulttool", line 72, in main
ret = args.func(args, logger)
File "/home/pokybuild/yocto-worker/a-full/build/scripts/lib/resulttool/store.py", line 70, in store
resultutils.save_resultsdata(results, tempdir, ptestlogs=True)
File "/home/pokybuild/yocto-worker/a-full/build/scripts/lib/resulttool/resultutils.py", line 178, in save_resultsdata
f.write(sectionlog)
TypeError: write() argument must be str, not bytes
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Wang Mingyu <wangmy@cn.fujitsu.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
[ includes the fix for CVE-2020-11501 ] Signed-off-by: Adrian Bunk <bunk@stusta.de> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Alex Kiernan [Fri, 1 May 2020 21:56:26 +0000 (00:56 +0300)]
gnutls: upgrade 3.6.8 -> 3.6.11.1
Drop patch from 81485be19b18 ("gnutls: don't use HOSTTOOLS_DIR/bash as a
shell on target") as upstream now honours POSIX_SHELL when set as the
primary target shell.
Signed-off-by: Alex Kiernan <alex.kiernan@gmail.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Adrian Bunk <bunk@stusta.de> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Chee Yang Lee [Fri, 1 May 2020 21:41:13 +0000 (00:41 +0300)]
qemu/slirp: fix CVE-2020-7211
fix CVE-2020-7211 for qemu slirp submodule
see :
https://www.openwall.com/lists/oss-security/2020/01/17/2
https://gitlab.freedesktop.org/slirp/libslirp/commit/14ec36e107a8c9af7d0a80c3571fe39b291ff1d4
Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Adrian Bunk <bunk@stusta.de> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Wang Mingyu <wangmy@cn.fujitsu.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
[ includes the fix for CVE-2019-14855 ] Signed-off-by: Adrian Bunk <bunk@stusta.de> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Lee Chee Yang [Fri, 1 May 2020 21:59:17 +0000 (00:59 +0300)]
cve-update-db-native: clean DB if temporary file exist
when do_populate_cve_db forced stop at certain point, the
DB execution are stoped however the temporary database
file (DB-JOURNAL) are not removed. This db-journal file
indicates that DB is incomplete and set DB in readonly
mode. So when db-journal exist, remove both DB and the
db-journal and build the DB again from scratch.
Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Adrian Bunk <bunk@stusta.de> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Li Zhou [Mon, 27 Apr 2020 09:17:49 +0000 (17:17 +0800)]
git: Security Advisory - git - CVE-2020-11008
Backport the 1st -- 9th patches listed by
<https://github.com/git/git/compare/v2.17.4...v2.17.5>
to solve CVE-2020-11008.
Also backport the 2nd -- 4th patches listed by
<https://github.com/git/git/compare/v2.17.3...v2.17.4>
for CVE-2020-5260 (not necessary, and only the 1st patch is necessary
for this CVE), because some of the above 9 patches are based on them.
Signed-off-by: Li Zhou <li.zhou@windriver.com> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Jan Luebbe [Mon, 6 Apr 2020 13:23:57 +0000 (15:23 +0200)]
apt-native: don't let dpkg overwrite files by default
With --force-overwrite (implied by --force-all), dpkg will not abort
when a package overwrites files from different packages. As this can
also lead to "The following package disappeared from your system as
all files have been overwritten by other packages: <package>" and
subsequently broken dependencies, this makes the simple case of
conflicting files hard to debug.
Instead of finding all possibly required force options, only disable
overwrite for now.
Signed-off-by: Jan Luebbe <jlu@pengutronix.de> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Martin Jansa [Thu, 2 Apr 2020 17:05:14 +0000 (19:05 +0200)]
prservice.py: fix do_package with newer Python in Ubuntu 20.04
* with Ubuntu 20.04 which is using python 3.8 I'm seeing a lot of errors like:
ERROR: libxml2-2.9.10-r0 do_package: Can NOT get PRAUTO, exception No module named '_sysconfigdata'
not sure what caused this from python 3.8, but this seems to work
* PRserv is enabled with:
PRSERV_HOST = "localhost:0"
Jeremy Puhlman [Wed, 4 Mar 2020 00:24:09 +0000 (16:24 -0800)]
python3-native: Should not search the system for headers/libraries.
The specific issue here is rpc/rpc.h, but its likely more general.
/usr/include is searched for rpc/rpc.h and if it exists on the
system, it changes behavior. If you are using the extended buildtools
tarball on a machine that has /usr/include/rpc/rpc.h, it will decide
that is good enough and not continue to search. nis fails to build
because /usr/include and /usr/lib are not part of the include/link
paths for the buildtools tarball compiler(nor should they be).
This makes it so python3-native will not build if you are using the
extended buildtools tarball, but from a larger issue perspective it
is building in likely different ways depending on what machine it
is building on.
libtirpc is already a depend so we shouldn't need the hosts rpc/rcp.h.
Signed-off-by: Jeremy A. Puhlman <jpuhlman@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 400743867de587579dee85388c30190f353f80c8) Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
inetutils: Use alternatives to avoid manpage conflict
Fix the following manpage conflicts:
* check_data_file_clashes: Package inetutils-doc wants to install file /usr/share/man/man1/tftp.1
But that file is already provided by package * tftp-hpa-doc
* check_data_file_clashes: Package inetutils-doc wants to install file /usr/share/man/man8/tftpd.8
But that file is already provided by package * tftp-hpa-doc
* check_data_file_clashes: Package netkit-telnet-doc wants to install file /usr/share/man/man8/telnetd.8
But that file is already provided by package * inetutils-doc
Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit fc14bfd60ad86094f65ebefbd10dbddc112d2698) Signed-off-by: Armin Kuster <akuster808@gmail.com>
Lee Chee Yang [Wed, 1 Apr 2020 06:39:56 +0000 (14:39 +0800)]
wic: align layer plugin path
wic look for external layer source plugin under scripts/lib/
while other tools look for lib/.
allow wic to check for source plugin at both scripts/lib/ and
lib/ to align with other tools while avoid breaking any existing
source plugin in external layer.
[YOCTO #13056]
Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 986baff26bd96a6265f5fe2d631818fff9f66374) Signed-off-by: Armin Kuster <akuster808@gmail.com>
Richard Purdie [Mon, 30 Mar 2020 15:31:52 +0000 (16:31 +0100)]
pseudo: Ensure we use our own libsqlite
pseudo-native is special in that bitbake ends up executing it from the
sysroot-components directory before we have any workdirs for the bitbake
fakeroot worker. Since we switched to dynamically linking sqlite, it
means sqlite from the host system may be found, we really want the version
in sysroot-components. Trying to run tasks to create some special environment
for pseudo is hard and error prone. The simplest fix is to add an RPATH to
the binary so that it can correctly find the sqlite we want.
Unfortunately passing $ORIGIN into make doesn't work so well with shell
quoting so we have to fix that during do_install.
[YOCTO #13814]
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 3937ca9e2dfabb1ce9bce1d536b60b1e2a43739b) Signed-off-by: Armin Kuster <akuster808@gmail.com>
Lee Chee Yang [Tue, 31 Mar 2020 07:26:03 +0000 (15:26 +0800)]
cve-check: CPE version '-' as all version
CPE version could be '-' to mean no version info.
Current cve_check treat it as not valid and does not report these
CVE but some of these could be a valid vulnerabilities.
Since non-valid CVE can be whitelisted, so treat '-' as all version
and report all these CVE to capture possible vulnerabilities.
Non-valid CVE to be whitelisted separately.
[YOCTO #13617]
Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit c69ee3594079589d27c10db32bc288566ebde9ef) Signed-off-by: Armin Kuster <akuster808@gmail.com>
Paul Barker [Mon, 9 Mar 2020 14:21:37 +0000 (14:21 +0000)]
kernelsrc.bbclass: Fix externalsrc support
When the externalsrc class is used the tasks listed in
SRCTREECOVEREDTASKS are deleted to prevent them being executed. If
externalsrc is used for the kernel then this will include
virtual/kernel:do_patch.
We can depend on do_shared_workdir instead as this will survive when
externalsrc is used.
Signed-off-by: Paul Barker <pbarker@konsulko.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 2c17d35cc7b9c5e01fd5829858d2f0234e7ac8d6) Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Paul Barker [Mon, 9 Mar 2020 14:21:38 +0000 (14:21 +0000)]
perf: Fix externalsrc support
When the externalsrc class is used the tasks listed in
SRCTREECOVEREDTASKS are deleted to prevent them being executed. If
externalsrc is used for the kernel then this will include
virtual/kernel:do_patch.
We can depend on do_shared_workdir instead as this will survive when
externalsrc is used.
Signed-off-by: Paul Barker <pbarker@konsulko.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit eab605bab94552046ec4adae5debe026cc03bb4c) Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Paul Barker [Mon, 9 Mar 2020 14:21:39 +0000 (14:21 +0000)]
kernel-yocto.bbclass: Support config fragments with externalsrc
The merging of config fragments is performend in the do_kernel_configme
task and so config fragments will not be supported when this task is
removed from the dependency tree.
kernel-yocto adds additional tasks which may modify the source directory
to SRCTREECOVEREDTASKS so that they are removed when using externalsrc.
However, do_kernel_configme should be safe to use, the only modification
to the source tree is the potential creation of the '.kernel-meta'
directory and the '.metadir' file.
Signed-off-by: Paul Barker <pbarker@konsulko.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 44f04c039a4d61dd18666e42b9b9865cbc3ada9e) Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Jan Luebbe [Wed, 1 Apr 2020 14:58:04 +0000 (16:58 +0200)]
lib/oe/package_manager: avoid installing provided packages via apt
If there already is a package providing (and conflicting against)
packages what should be installed, apt will try remove the conflicting
package (target-sdk-provides-dummy) and any that depend on it (like apt
and dpkg). This usually fails because of the protection of essential
packages. In that case, no -dev/-dbg packages are installed to the SDK.
Avoid this problem by checking which packages are already provided and
removing them from the list to be installed. Also sort the list to make
it easier to read when debugging.
Signed-off-by: Jan Luebbe <jlu@pengutronix.de> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 3ffb339dd55f8ca7c952fd3390608510f772e19f) Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Jan Luebbe [Wed, 1 Apr 2020 14:58:02 +0000 (16:58 +0200)]
lib/oe/package_manager: fix handling of last package
In commit 7d214b34e11dc57316ed5c1c7747c4601286f6d2, only the code in the
for loop was modified to store the pkgarch value. The code used if there
was no empty line at the end was not modified.
Instead of fixing the duplicated code, remove it and just make sure that
a final empty line is processed.
Signed-off-by: Jan Luebbe <jlu@pengutronix.de> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit a7b93c695b23d015607b179d98526b9b14c03d45) Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Jan Luebbe [Wed, 1 Apr 2020 14:58:01 +0000 (16:58 +0200)]
lib/oe/package_manager: make sure to not remove packages in apt install
apt install can decide to remove already installed packages if there are
conflicts. Avoid this by explicitly specifying --no-remove. This will
then cause a "E: Packages need to be removed but remove is disabled."
message.
Signed-off-by: Jan Luebbe <jlu@pengutronix.de> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 9605a488b55042add012e9aeef13ab3f4e70e6e5) Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Jeremy Puhlman [Thu, 2 Apr 2020 22:58:20 +0000 (15:58 -0700)]
busybox: on upgrade save busybox if it is the last shell
During a busybox upgrade on a ipk based system, it is possible
that busybox is the only shell in the system. During the uninstall
the alternative for /bin/sh is removed and everything after that
goes down hill.
* Add a check to verify if busybox is the shell, and save it to
the busyboxrm directory created in tmp. Then add an alternative
for /bin/sh that points to that busybox at the lowest priority.
* Add PATH to the busyboxrm directory using shell(as during an upgrade
busybox and its links are missing).
* When install over remove extra busybox if present.
deb and rpm are uneffected by the bug because they both drag in bash,
however neither upgrade seemed to have issue with the changes.
[YOCTO 13850]
Signed-off-by: Jeremy A. Puhlman <jpuhlman@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit a9d2af8f5b3da8239cf00a52883ca596a19ea23a) Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
projects / thirdparty / openembedded / openembedded-core-contrib.git / log
