[OE-core] [PATCH] cve-check: allow filtering out patched issues
It can be useful to filter out patched issues since they are no longer
vulnerable. This makes it easier to sift through what CVEs still might
need to be fixed.
Signed-off-by: Dan Dedrick
---
meta/classes/cve-check.bbclass | 3 +++
1 file changed, 3 insertions(+)
diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
index 743bc08a4f..a486d686ae 100644
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -35,6 +35,7 @@ CVE_CHECK_DIR ??= "${DEPLOY_DIR}/cve"
CVE_CHECK_MANIFEST ?=
"${DEPLOY_DIR_IMAGE}/${IMAGE_NAME}${IMAGE_NAME_SUFFIX}.cve"
CVE_CHECK_COPY_FILES ??= "1"
CVE_CHECK_CREATE_MANIFEST ??= "1"
+CVE_CHECK_EXCLUDE_PATCHED ??= "0"
# Whitelist for packages (PN)
CVE_CHECK_PN_WHITELIST = "\
@@ -54,6 +55,8 @@ python do_cve_check () {
if os.path.exists(d.getVar("CVE_CHECK_TMP_FILE")):
patched_cves = get_patches_cves(d)
patched, unpatched = check_cves(d, patched_cves)
+if d.getVar("CVE_CHECK_EXCLUDE_PATCHED") == "1":
+patched = []
if patched or unpatched:
cve_data = get_cve_info(d, patched + unpatched)
cve_write_data(d, patched, unpatched, cve_data)
--
2.20.1
--
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [PATCH] devtool: improve git repo checks before check_commits logic
The check_commits logic assumes that both devtool-base and args.branch
exist in the git repo that it is operating on. In order to prevent
errors at that point it's best to first ensure that both of these refs
actually exist. If they don't both exist then the check_commits logic
should just be skipped, as it would be if the repo wasn't originally
checked out by devtool.
Previously if a user removed the args.branch branch from their devtool
cloned repo this code would crash on adding the repo with -n. The crash
would look like this:
Traceback (most recent call last):
File "/home/ddedrick/src/poky/scripts/devtool", line 344, in
ret = main()
File "/home/ddedrick/src/poky/scripts/devtool", line 331, in main
ret = args.func(args, config, basepath, workspace)
File "/home/ddedrick/src/poky/scripts/lib/devtool/standard.py", line 812, in
modify
(stdout, _) = bb.process.run('git log devtool-base..%s' % branch,
cwd=srctree)
File "/home/ddedrick/src/poky/bitbake/lib/bb/process.py", line 178, in run
raise ExecutionError(cmd, pipe.returncode, stdout, stderr)
bb.process.ExecutionError: Execution of 'git log devtool-base..devtool' failed
with exit code 128:
fatal: ambiguous argument 'devtool-base..devtool': unknown revision or path not
in the working tree.
Use '--' to separate paths from revisions, like this:
'git [...] -- [...]'
---
scripts/lib/devtool/standard.py | 6 +-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/scripts/lib/devtool/standard.py b/scripts/lib/devtool/standard.py
index d14b7a6543..328b5cf02e 100644
--- a/scripts/lib/devtool/standard.py
+++ b/scripts/lib/devtool/standard.py
@@ -769,9 +769,13 @@ def modify(args, config, basepath, workspace):
check_commits = True
else:
if os.path.exists(os.path.join(srctree, '.git')):
-# Check if it's a tree previously extracted by us
+# Check if it's a tree previously extracted by us. This is done
+# by ensuring that devtool-base and args.branch (devtool)
exist.
+# The check_commits logic will cause an exception if either one
+# of these doesn't exist
try:
(stdout, _) = bb.process.run('git branch --contains
devtool-base', cwd=srctree)
+bb.process.run('git rev-parse %s' % args.branch,
cwd=srctree)
except bb.process.ExecutionError:
stdout = ''
if stdout:
--
2.20.1
--
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [PATCH] devtool: remove duplicate overrides
DEVTOOL_EXTRA_OVERRIDES only needs one entry for each instance of
overrides. Previous to these changes it would find every override to
SRC_URI and add it to the list. This would duplicate instances where
SRC_URI is modified multiple times with the same override like:
SRC_URI_append_foo += "file://0001-foo.patch"
SRC_URI_append_foo += "file://0002-bar.patch"
A bbappend might also overwrite a SRC_URI override, which would also
cause multiple instances to occur.
When there are multiple instances of the same override in
DEVTOOL_EXTRA_OVERRIDES it causes devtool modify to fail when creating
override branches. The failure occurs when attempting to create the same
override branch a second time and looks like this:
The stack trace of python calls that resulted in this exception/failure was:
File: 'exec_python_func() autogenerated', lineno: 2, function:
0001:
*** 0002:devtool_post_patch(d)
0003:
File: '/build/poky/meta/classes/devtool-source.bbclass', lineno: 202, function:
devtool_post_patch
0198:
0199:for override in extra_override_list:
0200:localdata = bb.data.createCopy(d)
0201:if override in default_overrides:
*** 0202:bb.process.run('git branch devtool-override-%s %s' %
(override, devbranch), cwd=srcsubdir)
0203:else:
0204:# Reset back to the initial commit on a new branch
0205:bb.process.run('git checkout %s -b
devtool-override-%s' % (initial_rev, override), cwd=srcsubdir)
0206:# Run do_patch function with the override applied
File: '/build/poky/bitbake/lib/bb/process.py', lineno: 178, function: run
0174:if not stderr is None:
0175:stderr = stderr.decode("utf-8")
0176:
0177:if pipe.returncode != 0:
*** 0178:raise ExecutionError(cmd, pipe.returncode, stdout, stderr)
0179:return stdout, stderr
Exception: bb.process.ExecutionError: Execution of 'git branch
devtool-override-foo devtool' failed with exit code 128:
fatal: A branch named 'devtool-override-foo' already exists.
Signed-off-by: Dan Dedrick
---
scripts/lib/devtool/standard.py | 5 +
1 file changed, 5 insertions(+)
diff --git a/scripts/lib/devtool/standard.py b/scripts/lib/devtool/standard.py
index d14b7a6543..a45ad36812 100644
--- a/scripts/lib/devtool/standard.py
+++ b/scripts/lib/devtool/standard.py
@@ -509,6 +509,11 @@ def _extract_source(srctree, keep_temp, devbranch, sync,
config, basepath, works
if not 'flag' in event:
if event['op'].startswith(('_append[', '_prepend[')):
extra_overrides.append(event['op'].split('[')[1].split(']')[0])
+# We want to remove duplicate overrides. If a recipe had multiple
+# SRC_URI_override += values it would cause mulitple instances of
+# overrides. This doesn't play nicely with things like creating a
+# branch for every instance of DEVTOOL_EXTRA_OVERRIDES.
+extra_overrides = list(set(extra_overrides))
if extra_overrides:
logger.info('SRC_URI contains some conditional appends/prepends -
will create branches to represent these')
--
2.20.1
--
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core
Re: [OE-core] [PATCH 1/7] allarch: only enable allarch when multilib is not used
I'm resurrecting this thread because this change negatively affects our use
of multilib. The use case that this is fixing seems to be a a case that
would be a better fit for multiconfig than it would multilib. My
interpretation of the use cases of multilib and multiconfig is as follows
and someone can correct me if this is wrong.
Multilib allows images to be built that support multiple architectures on
the same image. Specifically this use case is interesting for cases where
some library or tool has to be 32-bit (for whatever reason might apply) but
the rest of the image is 64-bit. For example we have a 32-bit library from
a third party vendor and that vendor won't provide us with a 64-bit
version. So we want the majority of our system to be 64-bit but need
multilib to support the subset of our image that needs to be 32-bit. The
result is that some portion of our image has to be 32-bit but whenever
possible we'd like to be using the 64-bit packages to reduce duplicating
packages between 32 and 64 bit.
Multiconfig allows for multiple configs and seems well suited to cases
where there are separate images for each config. So you could have a 32-bit
image from one config and a 64-bit image from another config. If no image
cross-contamination is required, as seems to be the intent of the request
here, then multiconfig can ensure that while not reducing the usefulness of
allarch. The original scenario seemed to follow this pattern where there is
a lib32-core-image-sato and a core-image-sato.
In our multilib case we want the behavior from before this change. So in
the specific use case of 'lib32-curl -> ca-certificate -> openssl' we
actually want this. The reason behind this being the desired behavior is
that the main architecture would certainly already require openssl so
adding the 32-bit version would cause duplication and therefore increase
our images size unnecessarily. In the past we had actually found that
installing some duplicate things that overlapped like "/usr/bin/openssl"
would cause racey behavior where sometimes we got the 32-bit version and
others we got the 64-bit version.
Additionally the removal of allarch from all multilib builds also seem like
a poor choice as multilib builds now lose all of the benefits that are
generally available from allarch.
On Sun, Sep 16, 2018 at 10:27 PM Kang Kai wrote:
> On 2018年09月14日 22:12, Martin Jansa wrote:
> > On Fri, Sep 14, 2018 at 01:25:12PM +0200, Martin Jansa wrote:
> >> On Thu, Sep 13, 2018 at 10:10:46PM +0200, Martin Jansa wrote:
> >>> On Thu, Sep 13, 2018 at 08:20:07PM +0200, Martin Jansa wrote:
> On Thu, Sep 06, 2018 at 11:52:24PM +0800, kai.k...@windriver.com
> wrote:
> > From: Kai Kang
> >
> > Some allarch packages rdepends non-allarch packages. when multilib is
> > used, it doesn't expand the dependency chain correctly, e.g.
> >
> > core-image-sato -> ca-certificates(allarch) -> openssl
> >
> > we expect dependency chain for lib32-core-image-sato:
> >
> > lib32-core-image-sato -> ca-certificates(allarch) -> lib32-openssl
> >
> > it should install lib32-openssl for ca-certificates but openssl is
> still
> > wrongly required.
> >
> > Only enable allarch when multilib is not used to fix the issue.
> >
> > signed-off-by: kai kang
> > ---
> > meta/classes/allarch.bbclass | 12 +++-
> > meta/classes/icecc.bbclass | 2 +-
> > meta/classes/multilib.bbclass| 3 ++-
> > meta/classes/multilib_global.bbclass | 4 +---
> > meta/classes/package.bbclass | 9 ++---
> > 5 files changed, 21 insertions(+), 9 deletions(-)
> >
> > diff --git a/meta/classes/allarch.bbclass
> b/meta/classes/allarch.bbclass
> > index 1eebe0bf2e..45f62a5939 100644
> > --- a/meta/classes/allarch.bbclass
> > +++ b/meta/classes/allarch.bbclass
> > @@ -2,7 +2,17 @@
> > # This class is used for architecture independent recipes/data
> files (usually scripts)
> > #
> >
> > -PACKAGE_ARCH = "all"
> > +python allarch_package_arch_handler () {
> > +if bb.data.inherits_class("nativesdk", d) or
> bb.data.inherits_class("crosssdk", d):
> > +return
> > +
> > +variants = d.getVar("MULTILIB_VARIANTS")
> > +if not variants:
> > +d.setVar("PACKAGE_ARCH", "all" )
> > +}
> > +
> > +addhandler allarch_package_arch_handler
> > +allarch_package_arch_handler[eventmask] =
> "bb.event.RecipePreFinalise"
> Maybe I'm overlooking something, but doesn't this overwrite whatever
> PACKAGE_ARCH as set before this?
>
> I have some recipes where the PACKAGE_ARCH is set to MACHINE_ARCH
> through
> another bbclass, but then overwritten with "all" by
> allarch_package_arch_handler:
>
> # $PACKAGE_ARCH [5 operations]
> # set oe-core/meta/conf/bitbake.conf:150
> # [_defaultval] "${TUNE_PKGARCH}"
>
[OE-core] [PATCH] kernel-devicetree: build DTBs in parallel
When building more than one device tree it's inefficient to serially
build them in multiple make calls. It's much faster and efficient to
build them in one call where they can run in parallel.
Signed-off-by: Dan Dedrick
---
meta/classes/kernel-devicetree.bbclass | 6 +-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/meta/classes/kernel-devicetree.bbclass
b/meta/classes/kernel-devicetree.bbclass
index 867b776aa7..83270c4511 100644
--- a/meta/classes/kernel-devicetree.bbclass
+++ b/meta/classes/kernel-devicetree.bbclass
@@ -50,10 +50,14 @@ do_configure_append() {
}
do_compile_append() {
+ alldtb=""
for dtbf in ${KERNEL_DEVICETREE}; do
dtb=`normalize_dtb "$dtbf"`
- oe_runmake $dtb
+ alldtb="${alldtb} ${dtb}"
done
+ if [ -n "${alldtb}" ]; then
+ oe_runmake ${alldtb}
+ fi
}
do_install_append() {
--
2.17.1
--
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [PATCH] staging: fix up multilib destsysroot path
The issues here was that WORKDIR changes based on the multilib variant
and the WORKDIR is used in the RECIPE_SYSROOT path. We need to use the
same WORKDIR that everything else is using so reset it before we expand
RECIPE_SYSROOT.
Signed-off-by: Dan Dedrick
---
meta/classes/staging.bbclass | 1 +
1 file changed, 1 insertion(+)
diff --git a/meta/classes/staging.bbclass b/meta/classes/staging.bbclass
index c479bd93ea..bd2ecd4776 100644
--- a/meta/classes/staging.bbclass
+++ b/meta/classes/staging.bbclass
@@ -479,6 +479,7 @@ python extend_recipe_sysroot() {
if variant not in multilibs:
multilibs[variant] = get_multilib_datastore(variant, d)
d2 = multilibs[variant]
+d2.setVar("WORKDIR", d.getVar("WORKDIR"))
destsysroot = d2.getVar("RECIPE_SYSROOT")
native = False
--
2.13.6
--
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [PATCH] dhcp: use ${BPN} instead of ${PN} for user
${PN} will include additional prefixes, such as lib32-, which are not
actually a part of the user that is being added. This was creating an unused
user and possibly missing the actually intended user. By using ${BPN} this
will remove all additional extra information and consistently be "dhcp".
Signed-off-by: Dan Dedrick
---
meta/recipes-connectivity/dhcp/dhcp.inc | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/meta/recipes-connectivity/dhcp/dhcp.inc
b/meta/recipes-connectivity/dhcp/dhcp.inc
index 58f4a6fd24..e94370786a 100644
--- a/meta/recipes-connectivity/dhcp/dhcp.inc
+++ b/meta/recipes-connectivity/dhcp/dhcp.inc
@@ -27,7 +27,7 @@ UPSTREAM_CHECK_REGEX = "(?P\d+\.\d+\.(\d+?))/"
inherit autotools systemd useradd update-rc.d
USERADD_PACKAGES = "${PN}-server"
-USERADD_PARAM_${PN}-server = "--system --no-create-home --home-dir
/var/run/${PN} --shell /bin/false --user-group ${PN}"
+USERADD_PARAM_${PN}-server = "--system --no-create-home --home-dir
/var/run/${BPN} --shell /bin/false --user-group ${BPN}"
SYSTEMD_PACKAGES = "${PN}-server ${PN}-relay ${PN}-client"
SYSTEMD_SERVICE_${PN}-server = "dhcpd.service dhcpd6.service"
--
2.13.6
--
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core
