Add ptest infrastructure to test the Go standard library.
- Run 'go test -short std' via run-ptest script
- Install source tree and pkg/include headers
- Create VERSION file for architecture detection
- Exclude multi-arch binary testdata to avoid QA errors
apr-util is tracked in NVD under apache:apr-util, while a smaller set
of newer CVEs also appears under apache:portable_runtime_utility.
Set CVE_PRODUCT accordingly so cve-check can cover both the historical
and current NVD product identities used for APR-util.
apr is tracked in NVD under apache:portable_runtime rather than the
recipe name apr. Set CVE_PRODUCT accordingly so cve-check uses the
correct NVD product identity for APR.
No additional alias was found to be necessary for this recipe.
Peter Marko [Tue, 28 Apr 2026 16:54:20 +0000 (18:54 +0200)]
sudo: set CVE_PRODUCT
This change removes currently open CVE-2025-64170 and CVE-2025-64517
from reports which are for "trifectatech:sudo-rs".
It also removes following "patched" ones:
* CVE-2023-42456 (memorysafety:sudo)
* CVE-2025-46717 (trifectatech:sudo)
* CVE-2025-46718 (trifectatech:sudo)
All these are also for "sudo-rs".
Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Peter Marko [Mon, 27 Apr 2026 21:51:18 +0000 (23:51 +0200)]
cups: upgrade 2.4.16 -> 2.4.19
Release notes:
* https://github.com/OpenPrinting/cups/releases/tag/v2.4.19
* CUPS 2.4.19 fixes a regression in shared printing from non-local accounts (Issue #1557)
* https://github.com/OpenPrinting/cups/releases/tag/v2.4.18
* The new release 2.4.18 contains a hotfix after the CVE-2026-27447 fix:
* Fixed cupsd crash if user does not exist (Issue #1555)
* https://github.com/OpenPrinting/cups/releases/tag/v2.4.17
* The new release 2.4.17 contains the following security fixes:
* CVE-2026-27447: The scheduler treated local user and group names as case-
insensitive.
* CVE-2026-34978: The RSS notifier could write outside the scheduler's RSS
directory.
* CVE-2026-34980: The scheduler did not filter control characters from option
values.
* CVE-2026-34979: The scheduler did not always allocate enough memory for a
job's options string.
* CVE-2026-34990: The scheduler incorrectly allowed local certificates over the
loopback interface.
* CVE-2026-39314: Fixed the range check for job password strings.
* CVE-2026-39316: Fixed a printer subscription bug in the scheduler.
* CVE-2026-NNNNN: Fixed a SNMP string conversion bug in the backends.
Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Peter Marko [Mon, 27 Apr 2026 21:51:17 +0000 (23:51 +0200)]
coreutils: set CVE_PRODUCT
This removes rust uutils coreutils CVEs from reports.
Comparing sbom-cve-check shows that only
CVE-2026-35338..CVE-2026-35381 are removed and all of them contained
reference to uutils.
Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Ross Burton [Mon, 27 Apr 2026 20:46:38 +0000 (21:46 +0100)]
p11-kit: add PACKAGECONFIG for trust and systemd
libtasn dependencies are specific to the trust module, add a PACKAGECONFIG
for that and move the dependencies. This is currently enabled by default
to preserve behaviour.
p11-kit has optional systemd user units for the remote server, add a
PACKAGECONFIG for that that respects the systemd DISTRO_FEATURE.
Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Richard Purdie [Mon, 27 Apr 2026 21:28:49 +0000 (22:28 +0100)]
pseudo: Update 1.9.5 -> 1.9.6
Pulls in the changes:
* Makefile.in: Bump version to 1.9.6
* pseudo_util.c: Fix symlink processing for symlinkat and related
* test: Add test symlinkat and related
* ports/unix: realpath: Fix chroot processing
* test: Add test cases for canonicalize functions
* ports/unix: fts_open: Fix chroot behavior
* ports/unix: fts_*: Certain functions were incorrectly returning stat data
* test: Add fts test case
* test: Add test for linkat chroot path stripping
* linkat: Avoid a segmentation fault
* Only copy xattrs on a rename if it's cross-filesystem
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
oe-selftest: add test for useradd with only USERADD_DEPENDS
Add a test case to verify that a recipe inheriting useradd with only
USERADD_DEPENDS set (and no USERADD_PACKAGES) parses and builds
successfully. This validates the fix in useradd.bbclass for
[YOCTO #15863].
Signed-off-by: Nguyen Minh Tien <zizuzacker@gmail.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
meta-selftest: add usegroup-deponly recipe to test USERADD_DEPENDS only
Add a test recipe that inherits useradd and only sets USERADD_DEPENDS
without USERADD_PACKAGES to validate the fix for [YOCTO #15863].
The root bug is that useradd.bbclass unconditionally requires
USERADD_PACKAGES to be set, even when a recipe only needs to depend on
users/groups created by another recipe via USERADD_DEPENDS. This recipe
depends on creategroup1 for user gt1 and group grouptest, but does not
create any users/groups itself, exercising the code path fixed in the
previous commit.
Signed-off-by: Nguyen Minh Tien <zizuzacker@gmail.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Sam Kent [Tue, 21 Apr 2026 10:28:44 +0000 (11:28 +0100)]
package.py: fix kernel module file pre-filter and document strip asymmetry
Change the check to f.endswith(".ko"), consistent with strip_execs() and
with the /lib/modules/ guard already present in is_elf() and
splitdebuginfo().
Fixes [YOCTO #2348]
Signed-off-by: Sam Kent <sam.john.kent@gmail.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
pulseaudio: split pactl into a dedicated client subpackage
pactl is a client-side control utility and is required on
PipeWire-based systems for audio control. pactl was packaged
as part of pulseaudio-server, making it difficult to use
without also installing and enabling the pulseaudio daemon,
which can conflict with pipewire.
Move the pactl binary into a standalone pulseaudio-pactl subpackage
so it can be installed without pulling in the pulseaudio server.
sanity: add check for own-mirrors/SOURCE_MIRROR_URL
The SOURCE_MIRROR_URL variable belongs to the own-mirrors class. However, the
user may forget to define it. This will cause the class to inject incorrect
content into PREMIRRORS, resulting in the following error:
Remove unused long options from getopt.getopt() call. The long options
"help", "input", and "output" were never handled in the option parsing
logic, so they are dead code.
Signed-off-by: Bin Cao <bin.cao.cn@windriver.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Li Wang [Fri, 24 Apr 2026 09:20:51 +0000 (17:20 +0800)]
perf: add PACKAGECONFIG for llvm
for avoiding to enable llvm option under uncommon condition,
make llvm controll under PACKAGECONFIG.
error log:
ERROR: perf-1.0-r2 do_package_qa: QA Issue: /usr/bin/trace contained in package perf requires libLLVM.so.2x.x(LLVM_2x.x)(64bit), but no providers found in RDEPENDS:perf? [file-rdeps]
Signed-off-by: Li Wang <li.wang@windriver.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
The tests are in the 'testing_vcs' directory, so set PTEST_PYTEST_DIR
accordingly. Add setuptools, setuptools-scm, and git to the ptest
RDEPENDS, since many of the tests make use of them. Many of the skipped
tests depend on mercurial, but that's in meta-oe and not worth moving to
oe-core just for this.
Add python3-vcs-versioning to PTESTS_FAST in ptest-packagelists.inc,
since the suite only takes a few seconds.
We also need a custom run-ptest script for two reasons:
1. There is a 'vcs_versioning.test_api' used as a plugin. This is
mentioned in conftest.py but is intended to be picked up from
pyproject.toml, which we don't ship with the ptest image. Instead,
just add '-p vcs_versioning.test_api' to the pytest call.
2. The test logic tries to rewrite pytest's assertion failures, which
doesn't work well with our automake formatting. We can work around
this by telling pytest to output plain messages with --assert=plain.
Note that the releases page also includes notes for the vcs-versioning
module, which is published separately (and which setuptools-scm depends
on). The new python3-vcs-versioning recipe is added to dependency lists.
Also rework the DEPENDS list to match the same formatting as RDEPENDS.
The setuptools-scm project[1] now ships a second module which can be
used independently of setuptools if desired. This is now a dependency
for setuptools-scm, so add a recipe for it.
Update the maintainers.inc file with the recipe and myself as
maintainer.
Backport a patch from upstream to allow python3-urllib3 2.6.3 to build
with python3-setuptools-scm 10.x, so that we can use an updated version
of that recipe.
Signed-off-by: Trevor Gamblin <tgamblin@baylibre.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
- Add mpc_exp10, mpc_exp2, mpc_log2 functions
- Fix mpc_tan/mpc_tanh for large imaginary parts
- Fix mpc_pow imaginary sign with real inputs
- Fix mpc_fr_div/mpc_ui_div zero sign handling per C2Y draft
- Add pkg-config support
Leonardo Costa [Thu, 23 Apr 2026 12:40:30 +0000 (09:40 -0300)]
bluez5: add patches to fix 8.56 cli issues
On bluez5 5.86, the bluetoothctl cli interface does not work outside of
the dedicated shell to list controllers and devices [1]. These patches fix
the issue while version 5.87 is not published.
Peter Tatrai [Thu, 23 Apr 2026 07:17:01 +0000 (09:17 +0200)]
rust: fix codegen test failure on big-endian targets
The test tests/codegen-llvm/issues/multiple-option-or-permutations.rs
uses FileCheck to verify LLVM IR for Option::or operations on slices.
The CHECK-NEXT directives assumed a little-endian memory layout where
the Option discriminant is the low byte, emitting a simple:
trunc i16 %0 to i1
On big-endian targets (e.g. powerpc), the discriminant resides in the
high byte, so LLVM first emits an lshr before the trunc, causing the
test to fail.
Backport upstream fix from rust-lang/rust#151780 which introduces
BIG/LITTLE revisions with the only-endian-big / ignore-endian-big
directives (also backported via directive_names.rs change) to handle
both layouts correctly.
Wang Mingyu [Tue, 21 Apr 2026 09:55:57 +0000 (17:55 +0800)]
vala: upgrade 0.56.18 -> 0.56.19
Changelog
============
* Various improvements and bug fixes:
- codegen: Minor refactoring of TypeRegisterFunction and its subclasses
- codegen: Use G_TYPE_FLAG_NONE when targetting glib >= 2.74
- codegen: Use g_once_init_{enter,leave}_pointer when targetting glib >= 2.80
- codegen: Propagate default_value_on_error from parent struct
- codegen: Return default_value_on_error on precondition failures
- gdbus: Avoid unused variables in method call and properties getter/setter
- gdbus: Allow GLib.VariantDict for a{sv}
- gdbus: Do not provide unintended read/write access to properties
- parser: Fix statement error recovery
- vala: Use reference-transfer as needed when transforming
conditional-expression
- girwriter: Don't use instance-parameter inside function elements
- girwriter: Add the doc:format argument in the .gir file
- libvaladoc: Do not error-out on doc:format
- libvaladoc: Add compat layer for gvRenderData to cope with API break
* Bindings:
- glib-2.0: allow FileUtils.open_tmp's first argument to be null
- posix: add UTIME_{NOW,OMIT} constants for utimensat
- gsl: Deprecate gsl_linalg_cholesky_decomp in favour of
gsl_linalg_cholesky_decomp1
- libxml-2.0: Add more fields to ParserCtxt
- gobject-2.0: Set default_value{,_on_error} for GType
- glib-2.0: Fix *.add_once () callbacks
- gobject-2.0: Fix return type
- gobject-2.0: Add Type.to_string ()
- gstreamer-1.0: Fix ownership of Caps.full*() parameters
- glib-2.0: fix a typo in a parameter name
- gtk4: Update to 4.21.6+83716767
- gtk4: Make all Gsk.RenderNode and Gsk.Renderer shadow their parent type
- gtk4: Fix CursorGetTextureCallback declaration
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Wang Mingyu [Tue, 21 Apr 2026 09:55:45 +0000 (17:55 +0800)]
python3-pytest: upgrade 9.0.2 -> 9.0.3
Bug fixes
============
- #12444: Fixed pytest.approx which now correctly takes into account
~collections.abc.Mapping keys order to compare them.
- #13634: Blocking a conftest.py file using the -p no: option is now explicitly
disallowed.
- Previously this resulted in an internal assertion failure during plugin
loading.
- Pytest now raises a clear UsageError explaining that conftest files are not
plugins and cannot be disabled via -p.
- #13734: Fixed crash when a test raises an exceptiongroup with
__tracebackhide__ = True.
- #14195: Fixed an issue where non-string messages passed to
unittest.TestCase.subTest() were not printed.
- #14343: Fixed use of insecure temporary directory (CVE-2025-71176).
Improved documentation ======================
- #13388: Clarified documentation for -p vs PYTEST_PLUGINS plugin loading and
fixed an incorrect -p example.
- #13731: Clarified that capture fixtures (e.g. capsys and capfd) take
precedence over the -s / --capture=no command-line options in Accessing
captured output from a test function <accessing-captured-output>.
- #14088: Clarified that the default pytest_collection hook sets session.items
before it calls pytest_collection_finish, not after.
- #14255: TOML integer log levels must be quoted: Updating reference
documentation.
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Wang Mingyu [Tue, 21 Apr 2026 09:55:41 +0000 (17:55 +0800)]
python3-poetry-core: upgrade 2.3.1 -> 2.3.2
Changed
========
- Update list of supported licenses (#917).
Fixed
======
- Fix an issue where platform_release could not be parsed on Debian Trixie
- Fix an issue where using project.readme.text in the pyproject.toml file
resulted in broken metadata
- Fix an issue where dependency groups were considered equal when their
resolved dependencies were equal, even if the groups themselves were not
- Fix an issue where removing a dependency from a group that included another
group resulted in other dependencies being added to the included group
- Fix an issue where PEP 735 include-group entries were lost when
[tool.poetry.group] also defined include-groups for the same group
- Fix an issue where the union of <value> not in <marker> constraints was
wrongly treated as always satisfied
- Fix an issue where a post release with a local version identifier was wrongly
allowed by a > version constraint
- Fix an issue where a version with the local version identifier 0 was treated
as equal to the corresponding public version
- Fix an issue where a != <version> constraint wrongly disallowed pre releases
and post releases of the specified version
- Fix an issue where in and not in constraints were wrongly not allowed by
specific compound constraints
- Fix an issue where data entries in generated setup.py files were duplicated
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Wang Mingyu [Tue, 21 Apr 2026 09:55:36 +0000 (17:55 +0800)]
python3-editables: upgrade 0.5 -> 0.6
License-Update: Line endings in the license file were changed from CRLF to LF.
Changelog:
==========
- Add a new "self_replace" strategy for map (and name the old strategy
"import_hook"). Based on an idea
- Rename the generated .pth file to _editable_impl_<project>.pth and document
that it is possible to customise the file names used.
- Rework the documentataion, replacing the "use cases" section with an expanded
and less opinionated "scope" section.
- Test suite improvements.
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Wang Mingyu [Tue, 21 Apr 2026 09:55:35 +0000 (17:55 +0800)]
python3-dtschema: upgrade 2025.12 -> 2026.4
Changelog:
===========
- New PCI bridge properties
- New linux,dmcryptkeys chosen property
- Relax simple-bus schema to have unit-addresses with chip-select number
and offset
- Avoid backtrace on missing $ref. Instead the missing ref will cause a
validation warning.
- Print the property name on decode failures
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Wang Mingyu [Tue, 21 Apr 2026 09:55:32 +0000 (17:55 +0800)]
pciutils: upgrade 3.14.0 -> 3.15.0
Changelog:
==========
* New capabilities are decoded: MMIO Register Block Locator,
Flit Error Injection, Flit Logging.
* Decoding of PCIe capabilities updated to Gen7.
* Both lspci and setpci warn when the "-s" or "-d" option
is given multiple times.
* Improved display of interrupts in "lspci -vv". Routing of
interrupt pins is shown only if the pins are not disabled.
Routing of MSI(X) interrupts is shown when available
(which is currently supported by the sysfs back-end only).
* Minor improvements to Windows back-ends.
* The dump back-end can read the dump from stdin when given "-"
as a file name.
* FreeBSD supports 64-bit addresses.
* Added README.DJGPP.
* Updated pci.ids.
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Wang Mingyu [Tue, 21 Apr 2026 09:55:31 +0000 (17:55 +0800)]
pango: upgrade 1.57.0 -> 1.57.1
Bugs fixed:
- #867 Bad font substitution causes application crashes
- #869 MacOS: subprojects/cairo/meson.build:1:0: ERROR: Value "gnu11,c11" (of
type "string") (sid)
- #870 MacOS: subprojects/pango/utils/viewer-cocoa.m:23:10: fatal error:
'cairo/cairo.h' file not found (sid)
- #871 gtk4-widget-factory crashes with pango error on macOS when an emoji is
entered into a text field
- #876 Inconsistency between documentation and code in
pango_context_set_font_description
- #882 The hex box characters generated in PDF can not be copied
- #885 warning: assignment discards 'const' qualifier from pointer target type
[-Wdiscarded-qualifiers]
- !884 Revert "meson: Rework introspection handling"
- !890 Update the code to support Unicode 17.0.0
- !892 Include fcfreetype.h where needed
- !893 meson: Update freetype2 wrap to fix ci warnings
- !894 Respect explicit language attribute when itemizing
- !895 Fix some subproject woes
- !896 meson: Add support for cross-compiling using Apple subsystems
- !897 (break.c) pass sentences to handle_sentences
- !898 add support for g_autoptr(PangoScriptIter)
- !900 fontmap: Mark get_family as nullable
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Wang Mingyu [Tue, 21 Apr 2026 09:55:28 +0000 (17:55 +0800)]
lzip: upgrade 1.25 -> 1.26
Changelog:
===========
- '-dvv' and '-tvv' now print (de)compressed sizes instead of compression
ratio. (Sizes are more informative than compression ratio).
- Large numbers in option arguments are now accepted with underscore
separators (-s 123_456_789).
- Large numbers are now printed with underscore separators (123_456_789).
- '-h' now prints a short help screen containing only the command-line
options. For full help, use '--help'.
- '--list' now can safely skip any trailing data added to a lzip file by the
option '--append' of lziprecover.
- '--list' now prints '+t' after the number of members to indicate the
presence of trailing data, and prints the size of the trailing data below
the size of the last member.
- '-lvv' now prints a blank line between the list of members of each
multimember file and the next file.
- Several improvements suggested by John Gilmore have been made to the manual.
- 'EXIT STATUS' now has its own section in the man page.
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Wang Mingyu [Tue, 21 Apr 2026 09:55:26 +0000 (17:55 +0800)]
libcap: upgrade 2.77 -> 2.78
Changelog:
===========
- Fix a security vulnerability (CVE-2026-4878).
- Fix a typo in a capset error
- Reverted some build macrology to get back to something that worked (admittedly sub-optimally).
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Wang Mingyu [Tue, 21 Apr 2026 09:55:22 +0000 (17:55 +0800)]
gtk+3: upgrade 3.24.51 -> 3.24.52
* Bugs fixed:
- #6306 [GTK3] Zlib required when broadway is enabled.
- #7796 [GTK 3] Invalid a11y events when calling `gtk_tree_view_set_cursor` on
an unfocused GtkTreeView
- #7976 Firefox crashes at gdk_wayland_drag_context_manage_dnd() when missing
toplevel wl_surface
- #8103 gtk3 refresh_rate calculation overflows on 32-bit targets
- #8114 Images for recolored icons are constantly being reloaded
- GNOME/gimp#14901 Wild strobing in multi window mode
- GNOME/gimp#15480 GIMP does not focus on dialogue boxes on Mac
- !7332 quartz: add automagic uti<->mime conversion for clipboard
- !8216 Fix position of child tooltips in GTK3 custom windows
- !9005 a11y: Don't send focus-related events for unfocused treeview
- !9012 quartz: gtkwindow - fix windows fighting focus
- !9022 gtkmenu: Await more motion events before deactivating on release
- !9044 wayland: Handle XKB initialization failures gracefully
- !9067 gdk/win32: Add missing EGL conditional compilation guard
- !9098 gdk: do not run gdk_wayland_window_export_handle() callback when
window is already destroyed.
- !9119 Declare an explicit dependency on zlib when broadway is enabled
- !9141 [GTK 3] wayland: Try to open the display even if XDG_RUNTIME_DIR is
unset
- !9155 [gtk3] emoji: Update data to CLDR 48
- !9214 display/wayland: Gracefully handle dispose being called twice
- !9284 gdk/wayland: Map stylus buttons for BTN_BACK and BTN_FORWARD (Peter
Hutterer)
- !9322 [Quartz] Fix dialog keyboard focus while preventing focus fighting
- !9344 Fix a couple of leaks
- !9394 gdk/wayland: Map stylus buttons for BTN_BACK and BTN_FORWARD
- !9397 wayland: Avoid a crash
- !9600 Replace outdated freedesktop.org Window Manager spec links
- !9676 x11: fix overflow in refresh_rate calculation on 32-bit systems
- !9706 cssimage: Store and reuse icon info for recolored images
- !9707 wayland: Fix uninitialized value when no cursor
- !9708 fontchooser: Fix signedness of axes count
- !9709 fontchooser: Remove const on float return values
- !9710 print: Remove unused variable
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
projects / thirdparty / openembedded / openembedded-core-contrib.git / log
