Peter Marko [Mon, 23 Feb 2026 22:18:31 +0000 (23:18 +0100)]
cve-exclusions: set status for 5 CVEs
Reuse work of Debian researchers and set status for fixed CVEs
accordingly.
These are not tracked by kernel itself, so generated exclusions won't
help here.
Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Peter Marko [Mon, 23 Feb 2026 22:18:30 +0000 (23:18 +0100)]
linux-yocto: apply cve-exclusions also to rt and tiny recipe variants
Version is the same as base kernel, only configuration differs.
There is no reason to not apply the exclusions to all variants.
Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Adam Duskett [Mon, 23 Feb 2026 15:39:22 +0000 (16:39 +0100)]
rpm/rootfs.py: ensure exit 1 has a word boundary
Currently, If a package installed by dnf has the word "exit" followed by
"100%" in the log file, the rpm/rootfs.py regex matches a failure thanks to
the "exit 1"00%, such as the following:
lz4: Remove a reference to the rejected CVE-2025-62813
The CVE-2025-62813 is rejected so do not reference it anymore.
So keep the patch but without referencing the CVE identifier.
The CVE database indicates the following reason:
This candidate was withdrawn by its CNA. Further investigation
showed that it was not a security issue.
Signed-off-by: Benjamin Robin (Schneider Electric) <benjamin.robin@bootlin.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
avahi: Remove a reference to the rejected CVE-2021-36217
CVE-2021-36217 is rejected, and should no longer be referenced.
CVE-2021-36217 is a duplicate of CVE-2021-3502 which is already
referenced in the local-ping.patch.
The CVE database indicates the following reason:
ConsultIDs: CVE-2021-3502. Reason: This candidate is a duplicate of
CVE-2021-3502. Notes: All CVE users should reference CVE-2021-3502
instead of this candidate. All references and descriptions in this
candidate have been removed to prevent accidental usage.
Signed-off-by: Benjamin Robin (Schneider Electric) <benjamin.robin@bootlin.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Adrian Freihofer [Sun, 22 Feb 2026 12:07:36 +0000 (13:07 +0100)]
kernel.bbclass: remove dependency on initramfs when not bundled
Previously, the kernel recipe depended on the initramfs image even when
INITRAMFS_IMAGE_BUNDLE was not enabled. This caused the kernel to be
rebuilt whenever the initramfs image changed, regardless of whether the
kernel actually included the initramfs.
The problematic chain was:
linux:do_deploy ->
linux:do_bundle_initramfs ->
image-initramfs:do_image_complete
The original intent (acc. to the comment) was to ensure the initramfs
image was available for tools like wic. However, apart from bundling the
initramfs in the kernel, there is probably no reason why the kernel
should depend on the initramfs. And it is therefore simply wrong if it
does so anyway. Thus, use cases that may be broken by these change are
based on a bug, not a feature. This needs to be fixed by adding a
dependency on the initramfs in the right place, not in the kernel where
this destroys the kernel's sstate-caching.
Signed-off-by: Adrian Freihofer <adrian.freihofer@siemens.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Adrian Freihofer [Sun, 22 Feb 2026 12:07:35 +0000 (13:07 +0100)]
image_types_wic.bbclass: add depend on initramfs
When the wic image creation requires an initramfs image that is not bundled
with the kernel (INITRAMFS_IMAGE_BUNDLE != "1"), ensure that the initramfs
image is built before attempting to create the wic image by adding an
explicit dependency on do_image_complete.
Previously, this dependency was incorrectly handled by kernel.bbclass.
This change moves the responsibility to image_types_wic.bbclass where
it belongs.
Signed-off-by: Adrian Freihofer <adrian.freihofer@siemens.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Richard Purdie [Sat, 21 Feb 2026 08:42:26 +0000 (08:42 +0000)]
bitbake.conf: Enable opengl ptest multiarch wayland vulkan in DISTRO_FEATURES by default
This change enables the modern graphics stack defaults of opengl, wayland and
vulkan, it enables mutliarch which allows gcc, binutils and gdb to target
multiple file formats and it also enables ptests by default
This means that:
* nodistro builds will match the Yocto Project sstate CDN objects
* we have modern graphics defaults
* users will see ptest issues more clearly and be more likely to test
before sending patches
These DISTRO_FEATURES have been tested and used as defaults in poky for a
long time, this brings them into sync.
Backfill is used so those with their own distro can set the
DISTRO_FEATURES_BACKFILL_CONSIDERED variable to stop the backfill happening
for speccific values.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Anything that defines multiple git sources should have the largest value
taken when calculating the SOURCE_DATE_EPOCH for a package.
The previous iteration actually introduced some degree of randomness, as
it would stop on the first git repository reported by os.walk, which
does not assure any specific ordering by default.
Randy MacLeod [Thu, 19 Feb 2026 19:12:20 +0000 (14:12 -0500)]
coreutils: upgrade 9.9 -> 9.10
From https://lists.gnu.org/archive/html/coreutils-announce/2026-02/msg00000.html
Notable changes include:
- Options in man pages link directly into the full web docs
- timeout(1) now kills the command for all terminating signals
- paste(1) is now multi-byte character aware
- cp(1) fixes an unlikely infinite loop introduced in v9.9
- The multi-call binary is 3.2% smaller
Drop the 2 backported patches which are now part of 9.10.
License-Update: copyright years refreshed
For ptests, also install coreutils.texi which is used for a new test that ensures
there is an anchor for each --help option for all of coreutils' programs. See:
https://cgit.git.savannah.gnu.org/cgit/coreutils.git/commit/?h=v9.10&id=77e6b5d8f8d1ebc3125d6585a266a912a1123791
Most of the skipped tests are due to being "very expensive" according to the coreutils developers.
The other skipped tests need strace, gdb, etc or locale dependencies which has not yet been added.
Signed-off-by: Randy MacLeod <Randy.MacLeod@windriver.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Randy MacLeod [Thu, 19 Feb 2026 19:12:19 +0000 (14:12 -0500)]
coreutils: kill and uptime are no longer installed
In coreutils-9.10, as explained in: 6b399ad35 build: kill(1), uptime(1): don't install by default
* build-aux/gen-lists-of-programs.sh: kill and uptime are not installed
by arch, debian, fedora, suse at least, so add to disabled list.
Fixes https://github.com/coreutils/coreutils/issues/132
Note that in oe-core:
kill is provided by busybox, procps and util-linux
uptime is provided by busybox and procps
and in other layers there may be other providers of these commands.
Signed-off-by: Randy MacLeod <Randy.MacLeod@windriver.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This has been causing a significant performance regression,
to the point where AUH wasn't able to complete upgrades with
particularly large number of git commits between releases [1].
After discussing with Peter [2], running 'oe-selftest -r devtool' with this change (100% pass),
and also doing an AUH run with it, and reviewing the output I think this is fine to remove:
the case is either very niche or non-existent, and if it appears again, we
should come up with a better fix.
Aditya Kurdunkar [Wed, 18 Feb 2026 22:55:44 +0000 (04:25 +0530)]
externalsrc: fix duplicate entries in .git/info/exclude
`readlines()` preserves trailing newlines, so the duplicate check
against the stripped link name never matched. Strip lines before
comparing to prevent repeated entries on each devtool modify run.
Jan Luebbe [Mon, 16 Feb 2026 15:02:01 +0000 (16:02 +0100)]
openssl: add support for config snippet includes
This allows configuration (such as enabling providers) to be done by
adding snippet files to /etc/ssl/openssl.cnf.d instead of modifying a
copy of the full configuration file. As new snippets can be added from
separate recipes, targeted changes can be done in multiple layers.
For example, the pkcs11-provider can be enabled by adding a pkcs11.cnf
containing something like:
[default_sect]
activate = 1
Peter Marko [Fri, 20 Feb 2026 20:53:15 +0000 (21:53 +0100)]
alsa-lib: patch CVE-2026-25068
Pick patch mentioned in NVD report.
It also includes CVE ID in commit message.
Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Peter Marko [Wed, 18 Feb 2026 22:53:25 +0000 (23:53 +0100)]
glib-2.0: upgrade 2.86.3 -> 2.86.4
Fixes CVE-2026-1484, CVE-2026-1485 and CVE-2026-1489.
Release notes [1]:
Overview of changes in GLib 2.86.4, 2026-02-13
* Fix several security vulnerabilities of varying severity (see below
for details)
* Bugs fixed:
* #3858 (closed) glib-compile-resources: Incorrect compiler detection
on Windows when building GTK causes a DoS (L. E. Segovia)
* #3863 (closed) Iterating over a short (preallocated) GVariant
bytestring invalidly refs a NULL GBytes (Christian Hergert)
* #3870 (closed) (CVE-2026-1484) (YWH-PGM9867-168) Integer Overflow ->
Buffer Underflow on Glib through glib/gbase64.c via
g_base64_encode_close() leads to OOB Write (Marco Trevisan)
* #3871 (closed) (CVE-2026-1485) (#YWH-PGM9867-169) Buffer underflow
on Glib through gio/gcontenttype-fdo.c via parse_header() lead to
OOB Read/Write (Marco Trevisan)
* #3872 (closed) (CVE-2026-1489) (#YWH-PGM9867-171) Integer Overflow
on Glib through glib/guniprop.c via output_marks() lead to OOB Write
in glib/gutf8.c:g_unichar_to_utf8() (Marco Trevisan (Treviño))
* !4946 (merged) Update Romanian translation glib-2-86
* !4955 (merged) Backport !4954 (merged) “glib-compile-resources:
Always assume MSVC compiler if VCINSTALLDIR is set” to glib-2-86
* !4961 (merged) Backport !4960 (merged) “glib/gvariant: add failing
test for bytestring and fix it” to glib-2-86
* !4979 (merged) [glib-2-86] gbase64: Use gsize to prevent potential
overflow
* !4981 (merged) [glib-2-86] gio/gcontenttype-fdo: Do not overflow if
header is longer than MAXINT
* !4984 (merged) [glib-2-86] guniprop: Use size_t for output_marks
length
* !5010 (merged) Update Kazakh translation
* Translation updates:
* Kazakh (Baurzhan Muftakhidinov)
* Romanian (Antonio Marin)
Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Ross Burton [Mon, 16 Feb 2026 13:48:35 +0000 (13:48 +0000)]
cmake: remove obsolete patches
0001-Disable-use-of-ext2fs-ext2_fs.h-by-cmake-s-internal.patch can be
replaced with two variable assignments to seed the results we want.
0002-CMakeLists.txt-disable-USE_NGHTTP2.patch is not needed anymore as
the vendored curl will disable the use of nghttp2 automatically if it
isn't found.
Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Richard Purdie [Sat, 21 Feb 2026 08:42:30 +0000 (08:42 +0000)]
distro/defaultsetup: Enable space optimization tweaks
This enables a collection of tweaks which reudce build output size where
the output has been found to be particularly problematic.
This reduces sstate object size as well as on disk build footprint, it
also helps memory usage for linking some of the recipes. This in turn
improves built speed and the smaller sstate objects are faster to compress,
decompress and transfer over the network.
This change has been tested in poky for a long time.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Richard Purdie [Sat, 21 Feb 2026 08:42:29 +0000 (08:42 +0000)]
distro/defaultsetup: Enable security flags by default
This defaults to including our security flags which use stack-protector-strong
and D_FORTIFY_SOURCE=2 by default, as aids to improve detection of security issues.
This change has been tested in poky for a long time and allows us to align
our default compilation flags and environment.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Richard Purdie [Sat, 21 Feb 2026 08:42:28 +0000 (08:42 +0000)]
distro/defaultsetup: Enable no-static-libs by default
In general, few people use statlic libraries. They are however large and take up a lot
of space on disk as well as taking time to compress/decompress and tranfser in sstate
objects.
This change disables most of them by default for disk space and speed/size performance
benefits.
This change has been tested in poky for a long time.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Richard Purdie [Sat, 21 Feb 2026 08:42:27 +0000 (08:42 +0000)]
defaultsetup: Enable uninative by default
uninative allows reuse of native sstate built on one distro on another. This change
enables it by default, as has been done by default in poky for a long time.
The reason for the change is that this makes the sstate CDN much more useful
to speed up builds if good network access is available. It also standardises
the builds to our usual testing configuration, removing one key difference
which new users sometimes run into.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Richard Purdie [Sat, 21 Feb 2026 08:42:25 +0000 (08:42 +0000)]
conf: Switch to systemd by default and simplify init manager selection
This change effectively switches things to use INIT_MANAGER to select the init
system and drops the old compatibility 'none' method. The init manager selection
is now complex enough that requiring users to select it makes sense.
The new default is systemd, which reflects popular opinion. This is known to have
issues in some of our configurations such as musl but is also frequently asked for.
Anyone replacing defaultsetup.conf in their own setup will need to provide
equivalent functionality but that is execpted for any of the settings in there.
This change drops sysvinit from the default distro features backfill, meaning
we no longer need to remove it in systemd setups and places the init managers
on a more equal and equivalent standing.
This is a behaviour change for anyone using nodistro and anyone not already
setting INIT_MANAGER explictly. This does not change the default for distros
which select an init manager already (e.g. poky).
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Richard Purdie [Sat, 21 Feb 2026 08:16:47 +0000 (08:16 +0000)]
conf/distro: Drop default-versions.inc
This conf file used to be useful when we had multiple versions of recipes
but we no longer do that and the file is empty. Remove it as obsolete and
not needed anymore.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Richard Purdie [Sat, 21 Feb 2026 08:16:46 +0000 (08:16 +0000)]
binutils: Drop unneeded and problematic vardeps explict value and immediate expansion
This was introduced in 0788cf349fe37ef4a36c626dbc396c97d1ab14d7 as a way of
tracking the EXTRA_OECONF changes. These should be tracked reliably by the
contains() code now so it is assumed this was working around a bug at the time.
I checked the current task hashes and that information is there.
Therefore drop this bit of code as the immediate expansion causes inaccurate
values.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Similar to native, backfilling of items from DISTRO_FEATURES when
combined with DISTRO_FEATURES_FILTER_NATIVESDK was not functioning
correctly.
Ensure the backfill is applied before filtering, then clear the value to
prevent further backfill. This makes the nativesdk and crosssdk cases
match the native code.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Sunil Dora [Thu, 19 Feb 2026 12:59:18 +0000 (04:59 -0800)]
rust: Enable dynamic linking with llvm
Fixes [Yocto #16058]
A segmentation fault occurs in rustc (e.g. in
llvm::X86ReadAdvanceTable) when reusing sstate artifacts built with
different host toolchain versions.
Issue sequence:
1. llvm-native is built with a newer toolchain
(e.g. GCC 15/Binutils 2.45).
2. rust-native is later built with an older linker.
(e.g. GCC 12/Binutils 2.40).
3. The older linker statically links parts of llvm-native into
librustc_driver.
4. The resulting binary crashes at runtime inside the statically
linked LLVM code.
The corruption happens at link time when mixing static native objects
produced by different toolchain generations.
Enable dynamic LLVM linking (link-shared = true) for rust-native so rustc
links against libLLVM.so instead of static archives, avoiding host linker
incompatibilities when reusing sstate artifacts.
Signed-off-by: Sunil Dora <sunilkumar.dora@windriver.com> Suggested-by: Alexander Kanavin <alex@linutronix.de> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Antonin Godard [Tue, 17 Feb 2026 09:59:16 +0000 (10:59 +0100)]
python3-sphinx: backport patch to fix singlehtml URIs
The singlehtml builder creates broken links, as reported on the
yocto-docs list[1].
This issue was also reported upstream[2], and the temporary fix is to
revert commit c93723b80396 ("singlehtml: deprecate the 'fix_refuris'
helper function (#13037)") in sphinx.
time64.inc: add links to "Y2038 in Yocto" slides and video
I'm not sure if placing conference slides and video links
here is okay, but I believe this is the best starting point
for anyone dealing with the Y2038 problem. It will help and
provide important context and action points for those needing
to support 32 bit products beyond Y2038.
Signed-off-by: Alexander Kanavin <alex@linutronix.de> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
time64.inc: clean up and add upstream tickets where issues remain
Most issues were resolved via upstream version updates that bring in
needed fixes:
glib-2.0 update to 2.78.0 that includes:
https://gitlab.gnome.org/GNOME/glib/-/merge_requests/3547
https://gitlab.gnome.org/GNOME/glib/-/merge_requests/3550
curl update to 8.3.0 that includes
https://github.com/curl/curl/pull/11610
util-linux update to 2.39 that includes
https://github.com/util-linux/util-linux/pull/2430
https://github.com/util-linux/util-linux/commit/3ab9e699a8d90f55e0447516b7e05a8686180467
https://github.com/util-linux/util-linux/pull/2435
glib-networking update to 2.78.0 that includes
https://gitlab.gnome.org/GNOME/glib-networking/-/merge_requests/241
python3-cryptography update to 42.0.0 which resolves
https://github.com/pyca/cryptography/issues/9370 via
https://github.com/pyca/cryptography/pull/9964
perl update to 5.40.0 which includes
https://github.com/Perl/perl5/pull/21379
python3 update to 3.13.0 which includes
https://github.com/python/cpython/pull/118425
python3 update to 3.13.1 which includes
https://github.com/python/cpython/pull/124972
python3 update to 3.14.0 which includes
https://github.com/python/cpython/pull/119401
https://github.com/python/cpython/pull/125045
https://github.com/python/cpython/pull/107594
https://github.com/python/cpython/pull/125104
dbus update to 1.16.0 which includes
https://gitlab.freedesktop.org/dbus/dbus/-/merge_requests/444
https://gitlab.freedesktop.org/dbus/dbus/-/merge_requests/289
openssh update to 10.0p1 which includes
https://github.com/openssh/openssh-portable/pull/425
https://bugzilla.mindrot.org/show_bug.cgi?id=3684
https://marc.info/?l=openbsd-bugs&m=172561736524815&w=2
https://lists.mindrot.org/pipermail/openssh-unix-dev/2024-October/041621.html
(all reporting the same issue)
gcc update to 15.1 which includes
https://github.com/llvm/llvm-project/pull/99699
via https://github.com/gcc-mirror/gcc/commit/fa321004f3f6288d3ee2eefa6b02177131882dca
and allows dropping special flags and exceptions for gcc-sanitizers.
Signed-off-by: Alexander Kanavin <alex@linutronix.de> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
lttng-tools: install .expect test files with a wildcard
Otherwise, there will be failures on 32 bit hosts. Note
that the needed files are erroneously absent from upstream
release tarballs:
https://bugs.lttng.org/issues/1436
but once that is resolved, this commit will be effective.
Signed-off-by: Alexander Kanavin <alex@linutronix.de> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
lttng-tools: ensure that ptest errors are not suppressed
At some recent point lttng-tools ptests have quietly regressed,
and most of them aren't executed anymore. Errors are printed
on the console, but aren't reported as exit code from run-ptest.
The reason is that exitcode was set to what sed returned, not make.
The original reason for piping through sed was to unify /tmp/tmp.xxxx outputs
for easier results comparison, but (after fixing the tests) I don't
see such lines anymore, and in any case ensuring such regressions
are caught is more important.
With this fix, run-ptest and testimage starts to fail as it should.
Signed-off-by: Alexander Kanavin <alex@linutronix.de> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Tim Orling [Sun, 15 Feb 2026 22:10:57 +0000 (14:10 -0800)]
checklayer: fix get_depgraph() hang when command fails
The get_depgraph() function hangs indefinitely when a layer causes
command failures (e.g. meta-virtualization) because:
1. bb.command.CommandFailed was not included in the event mask passed
to set_event_mask(), so the failure event was silently dropped and
the while True loop never received a terminating event.
2. There was no timeout handling for the case where wait_event()
repeatedly returns None, leaving no escape from the loop.
Add CommandFailed to the event mask so failure events are properly
received and handled. Also add a timeout counter that raises
RuntimeError after 300 consecutive seconds of no events, preventing
an infinite hang.
Fixes [YOCTO #16170]
Signed-off-by: Tim Orling <tim.orling@konsulko.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Peter Marko [Tue, 17 Feb 2026 14:59:35 +0000 (15:59 +0100)]
iproute2: update link to homepage
The old link redirects here now.
Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Richard Purdie [Wed, 18 Feb 2026 14:41:07 +0000 (14:41 +0000)]
native: Use dynamic filtering for PROVIDES
Currently, PROVIDES is one of the few variables left which isn't handled by
filter code dynamically. This lead to bugs if for example you have a
PACKAGECONFIG value which references DISTRO_FEATURES, and DISTRO_FEATURES
is being set in the the native case late by backfill. The early expansion
of the value means it can use an incorrect DISTRO_FEATURES value leading to
confusing errors.
Convert the code to use a filter in common with the other code in the class.
This does lead to some behaviour differences outside OE-Core in meta-oe for
example where the PROVIDES of gd-native changed:
"gd-native gd-native-tools"
to
"gd-native gd-tools-native"
where the change is a clear improvement in correctness.
This fixes issues when DISTRO_FEATURES has backfill options in place in
the native case.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Richard Purdie [Wed, 18 Feb 2026 14:41:06 +0000 (14:41 +0000)]
native: Fix DISTRO_FEATURES backfill handling in native case
Currently, features listed in DISTRO_FEATURES_FILTER_NATIVE are not supported
for DISTRO_FEATURES_BACKFILL as the two variables interact badly. We now have
need to add some features to backfill which are in the filter_native case.
This patch fixes the handling by appuing the backfill, then zeroing the variable
once they are applied. This leads to them being correctly filtered.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Peter Marko [Tue, 17 Feb 2026 22:44:34 +0000 (23:44 +0100)]
python3: upgrade 3.14.2 -> 3.14.3
>From release notes [1]:
Security
* gh-144125: BytesGenerator will now refuse to serialize (write)
headers that are unsafely folded or delimited; see
verify_generated_headers. (Contributed by Bas Bloemsaat and Petr
Viktorin in gh-121650).
* gh-143935: Fixed a bug in the folding of comments when flattening an
email message using a modern email policy. Comments consisting of a
very long sequence of non-foldable characters could trigger a forced
line wrap that omitted the required leading space on the continuation
line, causing the remainder of the comment to be interpreted as a new
header field. This enabled header injection with carefully crafted
inputs.
* gh-143925: Reject control characters in data: URL media types.
* gh-143919: Reject control characters in http.cookies.Morsel fields
and values.
* gh-143916: Reject C0 control characters within wsgiref.headers.Headers
fields, values, and parameters.
Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Peter Marko [Tue, 17 Feb 2026 17:41:44 +0000 (18:41 +0100)]
zlib: upgrade 1.3.1 -> 1.3.2
Delete patch included in this version.
Remove CVE_STATUS for CVE resolved in this release.
Release information: [1]
More details on homepage: [2]
Audit details: [3]
Version 1.3.2 has these key updates from 1.3.1:
* Address findings of the 7ASecurity audit of zlib.
* Check for negative lengths in crc32_combine functions.
* Copy only the initialized window contents in inflateCopy.
* Prevent the use of insecure functions without an explicit request.
* Add compressBound_z and deflateBound_z functions for large values.
* Use atomics to build inflate fixed tables once.
* Add --undefined option to ./configure for UBSan checker.
* Copy only the initialized deflate state in deflateCopy.
* Zero inflate state on allocation.
* Add compress_z and uncompress_z functions.
* Complete rewrite of cmake support.
* Remove untgz from contrib.
* Vectorize the CRC-32 calculation on the s390x.
* Remove vstudio projects in lieu of cmake-generated projects.
* Add zipAlreadyThere() to minizip zip.c to help avoid duplicates.
* Add deflateUsed() function to get the used bits in the last byte.
* Fix bug in inflatePrime() for 16-bit ints.
* Add a "G" option to force gzip, disabling transparency in gzread().
* Return all available uncompressed data on error in gzread.c.
* Support non-blocking devices in the gz* routines.
Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Richard Purdie [Fri, 13 Feb 2026 17:56:18 +0000 (17:56 +0000)]
systemd: Stop supporting sysvinit compatibility
Systemd has worked with sysvinit compatibility but upstream plans to remove
this and hence we will no longer be able to support it. We need to remove this
before the LTS since the support will certainly not be there for the lifetime
of the LTS.
This patch disables that usage mode and removes some of the compatibility logic.
There is more that can be removed, this is meant just to signal to people it is
no longer supported and start that process. Further cleanup can be made over time
in later commits.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Add packageconfig option to enable legacy support (disabled by default).
The legacy module includes deprecated and unmaintained OpenSSL
components. Drops openssl-oss-module-legacy from a runtime depends to a
runtime recommends for ptest.
Signed-off-by: Colin Pinnell McAllister <colinmca242@gmail.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
TLS 1.0 and TLS 1.1 have been deprecated by the IETF since 2021.
Disables support by default in packageconfig, requiring users to
explicitly opt-in for these deprecated protocols.
Signed-off-by: Colin Pinnell McAllister <colinmca242@gmail.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
- Fix issue with number of retries on authentication failures.
- Fix issue with G.722 @ 16 kHz codec ID value reported by transport.
- Add support for Telephony interface.
- Add support for Ranging profile.
- Add support for GMAP service.
- Add support for TMAP service.
Full changelog:
https://github.com/bluez/bluez/compare/5.85...5.86
Changes relevant for the build:
- mcaptest tool has been removed
- sap and health profiles have been removed from the code base
Signed-off-by: Guðni Már Gilbert <gudni.m.g@gmail.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Richard Purdie [Fri, 13 Feb 2026 17:45:55 +0000 (17:45 +0000)]
mirrors: Drop obsolete/inappropriate OE/YP mirror entries
These fetchers aren't used by code that would end up on these mirrors and are about
to be removed anyway in some cases. Drop the pointless/obsolete entries.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Zhang Peng [Fri, 13 Feb 2026 08:10:03 +0000 (16:10 +0800)]
libxkbfile: upgrade 1.1.3 -> 1.2.0
Changelog:
- libxkbfile is used by the X servers and utilities to parse the XKB
configuration data files.
- This release adds a new XkbRF_FreeVarDefs() API, and brings over many
fixes from the other copies of XKB code in the various X.Org repos.
- Since no complaints were received about the added meson build system
in the 1.1.3 release (February 2024), the autoconf build system has been
removed in this release.
Het Patel [Thu, 22 Jan 2026 14:59:18 +0000 (14:59 +0000)]
cve-update-nvd2-native: Use maximum CVSS score from all sources
The CVE check system was incorrectly reporting lower CVSS scores when
multiple scoring sources were available in the NVD database. This
occurred because the code only extracted the first element from the
metrics arrays, which could be a "Secondary" source with a lower score
rather than the "Primary" source or the highest available vendor score.
According to the CVSS v4.0 User Guide, "In situations where multiple
CVSS-B scores are applicable but only one is provided, the highest
CVSS-B score must be utilized." This follows the "reasonable worst-case"
principle established by the CVSS SIG.
This fix iterates through all available sources (v2, v3.0, v3.1, and
v4.0) and selects the maximum CVSS score to ensure the highest severity
is reported.
Daniel Dragomir [Wed, 11 Feb 2026 13:11:20 +0000 (15:11 +0200)]
wic/engine: error on old host debugfs for standalone directory copy
When wic is used in standalone mode, it relies on host tools such as
debugfs. For directory host->image copies into ext* partitions, wic
uses scripted debugfs "-f" input with multiple mkdir/write commands.
Older host debugfs versions (< 1.46.5) may behave unreliably in this
mode and can silently miss files. This does not affect builds using
debugfs from OE where the version is known to be sufficiently new.
Add a debugfs version check and emit an error when an older host
debugfs is detected. The error is shown once per run and halts execution.
Changes in v2:
- adjust the last working debugfs version to 1.46.5
Changes in v3:
- switch debugfs check from warning to error
Signed-off-by: Daniel Dragomir <daniel.dragomir@windriver.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Pratik Farkase [Wed, 11 Feb 2026 16:35:14 +0000 (17:35 +0100)]
libsolv: ptest: remove conditional checks
Simplify run-ptest and do_install_ptest by removing conditional
checks. If upstream renames or relocates test files, the build should
fail explicitly rather than silently skipping tests, ensuring the
recipe is updated appropriately.
Changes:
- Use testcases/* glob to automatically discover all test suites
- Remove file existence checks from run-ptest
- Remove file existence checks from do_install_ptest
Zhang Peng [Wed, 11 Feb 2026 03:22:13 +0000 (11:22 +0800)]
libx11-compose-data: upgrade 1.8.4 -> 1.8.12
- upgrade libx11-compose-data to 1.8.12 as it is part of libx11, and
libx11 already upgrade to 1.8.12
- refresh the patch 0001-Drop-x11-dependencies.patch
Kai Kang [Wed, 11 Feb 2026 03:04:21 +0000 (11:04 +0800)]
lttng-platforms.inc: set LTTNGMODULES with ?=
Set LTTNGMODULES with ?= in lttng-platforms.inc, then it could be set in
.conf files to override it.
Signed-off-by: Kai Kang <kai.kang@windriver.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Hongxu Jia [Wed, 11 Feb 2026 02:43:30 +0000 (10:43 +0800)]
gnupg: 2.5.14 -> 2.5.17
Release-info: https://dev.gnupg.org/T7996
Compare commits updates:
$ git clone https://github.com/gpg/gnupg.git
$ git log --oneline gnupg-2.5.14..gnupg-2.5.17 17b514596 (tag: gnupg-2.5.17) Release 2.5.17 f2f89dc82 po: msgmerge 11b7e4139 gpg: Fix possible NULL-deref with overlong signature packets. 93fa34d9a tpm: Fix possible buffer overflow in PKDECRYPT c3e387427 po: Update Swedish translation eba28eeaa agent: Add accelerator keys for "Wrong" and "Correct". 2438271ab agent: Fix stack buffer overflow when using gpgsm and KEM c7770b0a7 gpgsm: Make multiple search patterns work with keyboxd. 71570012e gpg: Remove a dead statement. 0bcd9be9a gpg: New export-option "keep-expired-subkeys" 0e37a6779 doc: Improve the "Programmatic use of GnuPG" section. 5f4ad39b1 doc: Rename an internal function to clarity the purpose. 8d4fc7667 dirmngr: Help detection of bad keyserver configurations. d97e52cc7 scd:openpgp: register vendor 4d52 916982b8c Post release updates 7d38a23b8 (tag: gnupg-2.5.16) Release 2.5.16 a9da315fb Revert "misc: Validate the value on the use of strtol." 26c422e5b Post release updates 7ee523ac2 (tag: gnupg-2.5.15) Release 2.5.15 947ea3c41 gpg: Deprecate the option --not-dash-escaped. abe9bddaa gpg: Fix for a recently claimed harmless keyboxd change. 4ec86dca3 po: msgmerge 691fa4ecb po: Update German translation 81bb94975 keyboxd: Fix database schema migration. 267f6db56 doc: Document default symmetric algo as AES-256 5d0ba97c8 Prepare NEWS 1b3bb7dde po: Enable Georgian translation. 6c1d13ac6 gpg: Implement skip function for keyboxd to fix a validation bug. 01eaa386e keybox: Fix the not yet used uid and pk keyblock index return values. c7472b1b9 po: Update Georgian Translation. 4350fc192 Avoid the function name thread_init. 674aa5424 dirmngr: Add a compatibility flag for use with newer Libksba versions. 32a3e5f83 common:dotlock: Escalate a warning message up to INFO from DEBUG. aab29b128 kbx:sqlite: Don't call dotlock_release. d4e40e2a8 common:dotlock: Comment fixes. 68dcfec91 common:dotlock:w32: Minor fixes for Windows. e4f20ba10 commond:dotlock: Remove support of use with glib. 493276a20 po: Update Portuguese translation 216a695ce agent: Use SHADOW_INFO to silence warnings. 57affc4e9 common,agent,dirmngr,kbx:w32: Synchronous spawning daemon process. cad79e542 agent,common,dirmngr,tests: Silence warnings of a compiler. bcd87ea2b misc: Validate the value on the use of strtol. ce44fde23 Post release updates
Pratik Farkase [Tue, 10 Feb 2026 20:39:05 +0000 (21:39 +0100)]
libconfig: add ptest support
Add ptest support to enable automated testing of libconfig
using ptest-runner.
The implementation uses libtool --mode=install to properly
install test binaries, avoiding issues with libtool wrapper
scripts. Tests are built via 'make check TESTS=' to compile
without running during the build phase.
The test suite includes 16 tests covering parsing, formatting,
binary/hex values, escaped strings, and various edge cases.
All tests pass successfully on qemux86-64 :
START: ptest-runner
BEGIN: /usr/lib/libconfig/ptest
[TEST] ParsingAndFormatting
parsing testdata/input_0.cfg
parsing testdata/input_1.cfg
parsing testdata/input_2.cfg
parsing testdata/input_3.cfg
parsing testdata/input_4.cfg
parsing testdata/input_5.cfg
parsing testdata/input_6.cfg
parsing testdata/input_7.cfg
[ OK ] ParsingAndFormatting
[TEST] ParseInvalidFiles
[ OK ] ParseInvalidFiles
[TEST] ParseInvalidStrings
[ OK ] ParseInvalidStrings
[TEST] BigInt1
[ OK ] BigInt1
[TEST] BigInt2
[ OK ] BigInt2
[TEST] BigInt3
[ OK ] BigInt3
[TEST] BigInt4
[ OK ] BigInt4
[TEST] BigInt5
[ OK ] BigInt5
[TEST] BigInt6
[ OK ] BigInt6
[TEST] BigInt7
[ OK ] BigInt7
[TEST] RemoveSetting
[ OK ] RemoveSetting
[TEST] EscapedStrings
[ OK ] EscapedStrings
[TEST] OverrideSetting
[ OK ] OverrideSetting
[TEST] SettingLookups
[ OK ] SettingLookups
[TEST] ReadStream
[ OK ] ReadStream
[TEST] BinaryAndHex
some auto big hex: 4294967296
some auto big bin: 8589934591
negativehex: -1430532899
[ OK ] BinaryAndHex
Pratik Farkase [Tue, 10 Feb 2026 19:50:41 +0000 (20:50 +0100)]
libassuan: add ptest support
Add ptest support to enable automated testing of libassuan
using ptest-runner.
The implementation installs test programs (version, pipeconnect,
fdpassing) and the shell script test (fdpassing-socket.sh).
All 4 tests pass on qemux86-64:
START: ptest-runner
BEGIN: /usr/lib/libassuan/ptest
PASS: version
Received data `Your lucky number is 3552664958674928. Watch for it everywhere.'
PASS: pipeconnect
PASS: fdpassing
PASS: fdpassing-socket.sh
END: /usr/lib/libassuan/ptest
STOP: ptest-runner
TOTAL: 1 FAIL: 0
Pratik Farkase [Tue, 10 Feb 2026 19:33:28 +0000 (20:33 +0100)]
libarchive: add ptest support
Add ptest support to enable automated testing of libarchive
using ptest-runner.
The implementation builds and installs five test suites:
libarchive_test, bsdtar_test, bsdcpio_test, bsdcat_test, and
bsdunzip_test, along with their test data files.
Test executables for bsdtar, bsdcpio, bsdcat, and bsdunzip are
provided via symlinks to the installed binaries.
All tests on qemux86-64 pass:
libarchive_test: 689 tests
bsdtar_test: 76 tests
bsdcpio_test: 49 tests
bsdcat_test: 18 tests
bsdunzip_test: 8 tests
Logan Gallois [Tue, 10 Feb 2026 17:39:49 +0000 (18:39 +0100)]
oe-setup-build: TEMPLATECONF were not applied correctly
Since a recent change to support dash, cmd_base is a set of several
commands, separated by newlines.
TEMPLATECONF was only effective for the first command in that set,
which is not where it's needed.
Putting it on its own line will ensure that it's present for
everything in cmd_base.
Ross Burton [Mon, 9 Feb 2026 12:56:22 +0000 (12:56 +0000)]
classes/pkgconfig: move variable exports to the class
All recipes that use pkg-config should be inheriting the class so this
is a no-op change for those, and for recipes that do not use pkg-config
will no longer need to rebuild if these variables are changed.
Any recipes that use pkg-config but do not inherit the class will fail
to build, and this is intentional: those recipes should inherit the class.
This commit is simply the move of the exports, the values do not change.
Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Ross Burton [Mon, 9 Feb 2026 12:56:21 +0000 (12:56 +0000)]
python3-numpy: backport a Meson patch to fix pkg-config lookups
When Meson uses pkg-config to introspect the Python install it resets
PKG_CONFIG_PATH and PKG_CONFIG_LIBDIR to the location that the running
python3 says is the library directory. However, when it writes to
PKG_CONFIG_LIBDIR it uses the _target_ library directory without
prefixing this with the sysroot, which breaks the build if _LIBDIR is
the primary search path.
This has been fixed in Meson since 1.10.0[1] but numpy has a vendored
fork of Meson that is currently at 1.9.2, so backport the specific fix
to solve this problem.
Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
projects / thirdparty / openembedded / openembedded-core.git / log
