Update-alternatives is actually a runtime dependency. The build-time
dependency is only needed to make sure update-alternative gets built
at all, because the runtime dependencies are generated too late for
bitbake to notice.
This breaks a dependency loop between dpkg and xz, if dpkg also
serves as the preferred runtime provider for update-alternatives.
Signed-off-by: Andreas Oberritter <obi@opendreambox.org>
Remove update-alternatives handling completely. It was introduced
to handle read-only rootfs errors with systemd, but relied on
inappropriate use of IMAGE_FEATURES. The latter part has already
been reverted, leaving only boilerplate code around.
Observed with dpkg's version of update-alternatives.
This effectively reverts the following patches (from newest to oldest):
577585375: connman.inc: do not check IMAGE_FEATURES 2a0afa968: connman: fix build-time warning with sysvinit 732e1f74b: connman: correct the systemd boot in read only rootfs
Signed-off-by: Andreas Oberritter <obi@opendreambox.org>
systemd: Don't install resolv.conf symlink when resolved is disabled
There's no point in letting systemd install it, if systemd doesn't
provide DNS. Let other services like resolvconf or connman do that,
because only they know the location they expect.
This also fixes a problem during do_rootfs with apt and dpkg's
update-alternatives:
| update-alternatives: error: alternative path /etc/resolv-conf.systemd doesn't exist
| dpkg: error processing package systemd:armhf (--configure):
| subprocess installed post-installation script returned error exit status 2
Signed-off-by: Andreas Oberritter <obi@opendreambox.org>
It is a small version of gpg which can only verify signatures. It
should be installable on its own. This matches the behaviour of
the gnupg 1.4 recipe, which was removed recently.
Signed-off-by: Andreas Oberritter <obi@opendreambox.org>
package_manager/deb: let apt-get handle postinst scripts
With all required environment variables and configuration options in
apt.conf in place, apt-get is able to install packages offline, i.e.
when creating the rootfs, including the execution of postinst scripts
and updating the package database. This is new behaviour.
At the time the deleted code would have executed, its work was already
done by apt-get.
Signed-off-by: Andreas Oberritter <obi@opendreambox.org>
connman: Simplify and fix packaging of VPN plug-ins
- Use simple static packaging.
- Move VPN runtime dependencies from connman to the individual plug-ins.
- Create a connmann-ppp package containing libppp-plugin.so, which is
a shared library needed by l2tp and pptp plug-ins.
- Let connman suggest VPN packages instead of recommending them, so they
don't get installed by default.
- Remove unknown configure options (--with-pptp --with-l2tp)
Signed-off-by: Andreas Oberritter <obi@opendreambox.org>
Paul Barker [Sat, 23 May 2020 19:16:06 +0000 (20:16 +0100)]
avahi: Don't advertise example services by default
The example service files are placed into /etc/avahi/services when we
run `make install` for avahi. This results in ssh and sftp-ssh services
being announced by default even if no ssh server is installed in an
image.
These example files should be moved away to another location such as
/usr/share/doc/avahi (taking inspiration from Arch Linux).
Signed-off-by: Paul Barker <pbarker@konsulko.com> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
1. They need to be run under regular user.
2. Some tests genuinely need more time than 30 seconds
3. The Makefile patch erroneously introduced a test-breaking change.
Richard Purdie [Wed, 13 May 2020 15:24:50 +0000 (10:24 -0500)]
sstatesig: Optimise get_taskhash for hashequiv
With hashequiv the get_taskhash function is called much more regularly
and contains expensive operations. This these don't change based upon
hash in a given build, improve the caching within the function to
reduce overhead.
Richard Purdie [Sat, 25 Apr 2020 21:20:11 +0000 (22:20 +0100)]
targetcontrol: Fix leaking log handler
We had a mystery failure on the autobuilder where runqemu appeared to
be failing as a logfile directory no longer existed. The key to
reproducing was running a runqemu where the image was deleted (as
devtool does), then running another runqemu test. E.g.:
Richard Purdie [Fri, 24 Apr 2020 12:23:27 +0000 (13:23 +0100)]
oeqa/qemurunner: Clean up failure handling
If you fail to setup the tap devices, runqemu will error quickly
however stdout/stderr are not shown to the user, instead a SystemExit
traceback is shown. This could explain some long since unexplained
failures on the autobuilder.
Rework the error handling so SystemExit isn't used and the
standard log failure messages can be shown. The code could
likely ultimatley need some restructuring to work effectively.
This error handling didn't work as expected since upon failure it would
inject bytestreams back into the code leading to tracebacks.
Instead, ignore the decode errors. Fixes:
Traceback (most recent call last):
File "/home/pokybuild/yocto-worker/a-full/build/scripts/resulttool", line 78, in <module>
sys.exit(main())
File "/home/pokybuild/yocto-worker/a-full/build/scripts/resulttool", line 72, in main
ret = args.func(args, logger)
File "/home/pokybuild/yocto-worker/a-full/build/scripts/lib/resulttool/store.py", line 70, in store
resultutils.save_resultsdata(results, tempdir, ptestlogs=True)
File "/home/pokybuild/yocto-worker/a-full/build/scripts/lib/resulttool/resultutils.py", line 178, in save_resultsdata
f.write(sectionlog)
TypeError: write() argument must be str, not bytes
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Wang Mingyu <wangmy@cn.fujitsu.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
[ includes the fix for CVE-2020-11501 ] Signed-off-by: Adrian Bunk <bunk@stusta.de> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Alex Kiernan [Fri, 1 May 2020 21:56:26 +0000 (00:56 +0300)]
gnutls: upgrade 3.6.8 -> 3.6.11.1
Drop patch from 81485be19b18 ("gnutls: don't use HOSTTOOLS_DIR/bash as a
shell on target") as upstream now honours POSIX_SHELL when set as the
primary target shell.
Signed-off-by: Alex Kiernan <alex.kiernan@gmail.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Adrian Bunk <bunk@stusta.de> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Chee Yang Lee [Fri, 1 May 2020 21:41:13 +0000 (00:41 +0300)]
qemu/slirp: fix CVE-2020-7211
fix CVE-2020-7211 for qemu slirp submodule
see :
https://www.openwall.com/lists/oss-security/2020/01/17/2
https://gitlab.freedesktop.org/slirp/libslirp/commit/14ec36e107a8c9af7d0a80c3571fe39b291ff1d4
Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Adrian Bunk <bunk@stusta.de> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Wang Mingyu <wangmy@cn.fujitsu.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
[ includes the fix for CVE-2019-14855 ] Signed-off-by: Adrian Bunk <bunk@stusta.de> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Lee Chee Yang [Fri, 1 May 2020 21:59:17 +0000 (00:59 +0300)]
cve-update-db-native: clean DB if temporary file exist
when do_populate_cve_db forced stop at certain point, the
DB execution are stoped however the temporary database
file (DB-JOURNAL) are not removed. This db-journal file
indicates that DB is incomplete and set DB in readonly
mode. So when db-journal exist, remove both DB and the
db-journal and build the DB again from scratch.
Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Adrian Bunk <bunk@stusta.de> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Li Zhou [Mon, 27 Apr 2020 09:17:49 +0000 (17:17 +0800)]
git: Security Advisory - git - CVE-2020-11008
Backport the 1st -- 9th patches listed by
<https://github.com/git/git/compare/v2.17.4...v2.17.5>
to solve CVE-2020-11008.
Also backport the 2nd -- 4th patches listed by
<https://github.com/git/git/compare/v2.17.3...v2.17.4>
for CVE-2020-5260 (not necessary, and only the 1st patch is necessary
for this CVE), because some of the above 9 patches are based on them.
Signed-off-by: Li Zhou <li.zhou@windriver.com> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Jan Luebbe [Mon, 6 Apr 2020 13:23:57 +0000 (15:23 +0200)]
apt-native: don't let dpkg overwrite files by default
With --force-overwrite (implied by --force-all), dpkg will not abort
when a package overwrites files from different packages. As this can
also lead to "The following package disappeared from your system as
all files have been overwritten by other packages: <package>" and
subsequently broken dependencies, this makes the simple case of
conflicting files hard to debug.
Instead of finding all possibly required force options, only disable
overwrite for now.
Signed-off-by: Jan Luebbe <jlu@pengutronix.de> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
projects / thirdparty / openembedded / openembedded-core-contrib.git / log
