Update LAYERSERIES_COMPAT in all layer.conf files with the exception
of meta-parsec to wrynose. For meta-parsec, added wrynose to the list
of supported versions.
Signed-off-by: Marta Rybczynska <marta.rybczynska@ygreky.com>
Change the "poky" layer configuration name to "meta-yocto" in the
KAS configuration so the cloned repo name is less confusing in logs,
and fix a spot where "poky" -> "openembedded-core" had been missed
in the gitlab configuration.
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
Commit cd729862f6 added native/nativesdk
possibility to tpm2-pkcs11.
After 784ca4b658 which added rdepends on
python3-tpm2-pytss, there are errors like:
Missing or unbuildable dependency chain was:
['<image>', 'swtpm-native', 'tpm2-pkcs11-tools-native', 'python3-tpm2-pytss-native']
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
Allow downstream users to explicitly select desired PACKAGECONFIG
options (e.g. via "=").
Users are currently forced to use ":remove" (with "ptest").
Signed-off-by: Clayton Casciato <majortomtosourcecontrol@gmail.com>
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
This is necessary for cryptsetup starting from v2.8.0 which introduced
"[units]" in its output breaking the parsing of veritysetup output.
VERITY header information for image-poky-20250701085433.squashfs-zst.verity.
UUID: 5dc16c55-79b8-4988-9d79-900f8e143f98
Hash type: 1
Data blocks: 40091
Data block size: 4096 [bytes]
Hash blocks: 318
Hash block size: 4096 [bytes]
Hash algorithm: sha256
Salt: f670bf67a32f4f5a22e052d7bf84830f8d35ea24e2d52f585f6275207899153b
Root hash: a7eab55b7933e347650671611e4b2a10571f2a28a1fb0fc8eae409f7a0d86693
This extends the value filter to remove the "[units]" from the .env file,
while retaining compatibility to older cryptsetup releases.
Signed-off-by: Stephan Wurm <stephan.wurm@a-eberle.de>
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
Changes to catch up with current kas and future-proof a bit:
* Update the kas configuration file versions to 19 to match kas 4.8.x.
* Change refspec to branch to remove deprecation warnings.
* Add quoting around URLs to match upstream examples.
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
Since clang is in openembedded-core now, meta-parsec no longer needs
meta-clang. Also updated maintainers in meta-parsec README.md since
it had previously been missed.
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
jansson is required as of Suricata 5.0:
e49c40428e
This is still required in the latest release:
https://github.com/OISF/suricata/blob/suricata-8.0.2/configure.ac#L828
On exclusion attempt:
[...]
| checking for jansson.h... no
| checking for json_dump_callback in -ljansson... no
|
| ERROR: Jansson is now required.
|
| Go get it from your distribution or from:
| http://www.digip.org/jansson/
|
| Ubuntu/Debian: apt install libjansson-dev
| CentOS: yum install jansson-devel
| Fedora: dnf install jansson-devel
|
| NOTE: The following config.log files may provide further information.
| NOTE: [...]/poky-whinlatter/build/tmp/work/cortexa57-poky-linux/suricata/7.0.13/sources/suricata-7.0.13/config.log
| ERROR: configure failed
| WARNING: exit code 1 from a shell command.
ERROR: Task ([...]/poky-whinlatter/layers/meta-security/recipes-ids/suricata/suricata_7.0.13.bb:do_configure) failed with exit code '1'
Signed-off-by: Clayton Casciato <majortomtosourcecontrol@gmail.com>
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
Switch back to the "stable" branch in SRC_URI now that upstream
has changed its branch maintenance model so it is indeed stable.
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
Inherit github-releases class to check the correct latest stable
verison.
Before the patch:
$ devtool latest-version sssd
INFO: Current version: 2.10.2
INFO: Latest version:
After the patch:
$ devtool latest-version sssd
INFO: Current version: 2.10.2
INFO: Latest version: 2.11.1
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Add UPSTREAM_CHECK_URI to check the correct latest stable verison.
Before the patch:
$ devtool latest-version libmash
INFO: Current version: 0.9.9.9
INFO: Latest version:
After the patch:
$ devtool latest-version libmash
INFO: Current version: 0.9.9.9
INFO: Latest version: 0.9.9.9
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Add modern ClamAV 1.4.3 recipe with comprehensive improvements over
the legacy 0.104.4 version. Remove the end-of-life 0.104.4 recipe and
associated patches as they are superseded by this version.
Major changes in 1.4.3:
- Upgraded core engine with improved threat detection capabilities
- Added Rust components requiring cross-compilation support
- Updated CMake build system replacing legacy autotools
- Modernized library dependencies (LLVM, JSON-C, PCre2)
- Added comprehensive license compliance for multi-component package
- Enhanced cross-compilation support for all target architectures
The recipe includes dynamic Cargo configuration using Yocto variables
to support cross-compilation to any target architecture supported by
the build system.
Runtime configuration improvements:
- Set APP_CONFIG_DIRECTORY to ${sysconfdir}/clamav for proper config paths
- Added volatiles/tmpfiles support for /var/lib/clamav and /var/log/clamav
- Added pkg_postinst scripts to ensure correct directory ownership
- Implemented CMake cache variables for cross-compilation
- Updated all license checksums for compliance
- Added Rust toolchain integration with automatic environment setup
- Use Cargo vendoring with cargo + cargo-update-recipe-crates classes
Security rationale:
- ClamAV 0.104.4 reached end-of-life and is no longer maintained
- Upstream strongly recommends migration to 1.4.x for security updates
Signed-off-by: Hemant Jadhav <hemant.jadhav@emerson.com>
(regenerated diff, fixed building with systemd,
fixed target Rust configuration, disabled for 32-bit targets)
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
Add basic openscap test. This looks for an existing profile and run a basic scan.
Openscap scans return 1 in case of failure, 0 in case of success and 2 when a
vulnerability has been found. As this does not aim to check openscap reports, 2 is
considered as a successful test.
Signed-off-by: Louis Rannou <louis.rannou@non.se.com>
(added to test image)
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
Fixes:
- typo in the RDEPENDS class-target override ('-' instead of ':')
- typo SUMARRY -> SUMMARY
Signed-off-by: Louis Rannou <louis.rannou@non.se.com>
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
It was pointed out that the recipe was wrongly doing
FILESEXTRAPATHS:append, but on inspection the recipe does
not need it at all, so just remove.
Reported-by: Robert P. J. Day <rpjday@crashcourse.ca>
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
In Yocto, there is only one Python interpreter (python3), and the
auto-generated "fail2ban-python" symlink is not used. To ensure
all installed scripts can run correctly, replace the shebang line
from "#!/usr/bin/env fail2ban-python" to "#!/usr/bin/env python3"
during installation.
Signed-off-by: Haixiao Yan <haixiao.yan.cn@windriver.com>
Replace poky repository configuration with separate bitbake,
openembedded-core, and meta-poky repository configurations.
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
To avoid confusion, remove stray aircrack-ng entry as it is actually
in the main layer and not meta-tpm.
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
Changes:
- Add libmhash and libgssglue so they will get tested by CI.
- Switch to MACHINE_ARCH to facilitate the above, but it makes sense
anyway due to all the machine overrides used in the packagegroup
definition.
- Add the recently added python3-suricata-update so it will get
tested by CI.
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
Remove the paxctl recipe since it has seemingly been broken for a
while without anyone noticing, and there likely have been no actual
users since grsecurity stopped doing public releases in 2017.
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
Remove the libest recipe since it has been disabled since November
2021, and upstream has shown no activity since 2022.
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
Remove the tripwire recipe since it has been disabled since May 2021,
and upstream has shown no activity since 2018.
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
Update to latest git rev as the current version doesn't work with
OpenSSH 9.8+[1].
Ptest result:
$ ptest-runner python3-fail2ban
START: ptest-runner
2025-09-21T12:45
BEGIN: /usr/lib64/python3-fail2ban/ptest
Ran 538 tests in 13.045s
OK (skipped=3)
DURATION: 14
END: /usr/lib64/python3-fail2ban/ptest
2025-09-21T12:46
STOP: ptest-runner
TOTAL: 1 FAIL: 0
[1] 2fed408c05
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
