The current version of this script in Scarthgap is outdated, since it
still uses data from linux_kernel_cves. This repository was archived in
2024.
To avoid any risks of conflicts, and/or a patch series longer than it
needs to be, I copied the generate-cve-exclusions.py script from
oe-core's master branch (rev. "e954a94b5b528b2430e8da331107d7d58287f89b") as-is.
(From OE-Core rev: 66a13f93403533b95ed27eed24931aa310f8ce79)
Signed-off-by: João Marcos Costa (Schneider Electric) <joaomarcos.costa@bootlin.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
When running glibc tests under user mode NFS, tst-syslog was causing a hang. The
hang was traced to unfsd exitting with a buffer overflow being detected.
This was traced down to mksocket() where we'd see:
socket path '/media/build/poky/build/build-st-2118464/tmp/work/x86-64-v3-poky-linux/glibc-testsuite/2.42+git/build-x86_64-poky-linux/testroot.root/dev/log' is too long at 141 vs 108
There is a length check in mknod_args() but obj may not be setup at this point by
cat_name() since the functions can be executed out of order according to C.
To avoid this, make the order explict. This means the length is checked and we
avoid the buffer overflow. This will likely cause the glibc test to fail however
it won't hang, which is a win.
[YOCTO #16113]
(From OE-Core rev: 34f34512e5eeefc24b36b102a36fc90f14e2f7d2)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Hemanth Kumar M D <Hemanth.KumarMD@windriver.com>
(cherry picked from commit e51d5e19cb1ba1d5ad7442064b64821d178bc9ca)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Both CVEs are disputed by third parties. The observed behavior
(double free / invalid pointer free in readelf) only occurred in
pre-release code and did not affect any tagged version [1][2].
CVE_STATUS[CVE-2025-69650] = "disputed: observed behavior only in pre-release code, does not affect any tagged version"
CVE_STATUS[CVE-2025-69651] = "disputed: observed behavior only in pre-release code, does not affect any tagged version"
[1] https://www.cve.org/CVERecord?id=CVE-2025-69650
[2] https://www.cve.org/CVERecord?id=CVE-2025-69651
(From OE-Core rev: 55a0d8abad8a81f7d900557c2eb2d9327ee115df)
Signed-off-by: Adarsh Jagadish Kamini <adarsh.jagadish.kamini@est.tech>
(cherry picked from commit 9c6df56fe18237880c391798c2083dca595566f4)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Considering that *detail* is an actual variable, not a string, remove the
quotes to make the 'in' statement coherent.
(From OE-Core rev: 8071a93c6b619dc9fcc2a7f1bcf94994499defbe)
Signed-off-by: João Marcos Costa (Schneider Electric) <joaomarcos.costa@bootlin.com>
Reviewed-by: Joshua Watt <JPEWhacker@gmail.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
The description incorrectly stated that the sysroots are set up for
use during the packaging phase. In fact, do_prepare_recipe_sysroot
runs before do_configure, and the sysroots are consumed by
do_configure and do_compile.
Refer to do_configure and do_compile as the tasks that consume
prepared sysroots. Briefly describe the role of each sysroot.
Link do_configure, do_compile, and do_populate_sysroot via
:ref: to ease navigation.
Suggested-by: Alexander Kanavin <alex.kanavin@gmail.com>
Suggested-by: Antonin Godard <antonin.godard@bootlin.com>
(From yocto-docs rev: 1c5e7f136d7460fa5ad4c8a49ab1de31bd670e59)
Signed-off-by: Dawid Bijak <bijak.dawid@gmail.com>
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
(cherry picked from commit b50e8d36bdab53b004711ebc284d8ce8be593859)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Paul Barker <paul@pbarker.dev>
To properly fetch all the sources as suggested by the docs, one should
use "--runall=fetch".
(From yocto-docs rev: eb6a87177cec679eae9b2dfae86f49d9789c0ab1)
Signed-off-by: Robert P. J. Day <rpjday@crashcourse.ca>
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
(cherry picked from commit 0be8663d1f9e910c304e0960dd9e024e38646480)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Add that the RSUGGESTS variable would be processed only by a
supporting package manager when installing packages from a
package feed, and add a link to the appropriate section in
the Developers Manual.
(From yocto-docs rev: 2c80b891d85e0a7d9b70fc7b4a9c032325b56eca)
Signed-off-by: Robert P. J. Day <rpjday@crashcourse.ca>
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
(cherry picked from commit 48c832376cc3d33785d790a3e76b52ed2f8895bf)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Change the css rules of our theme to have a fixed-width documentation
instead of it taking the full width of the page. I believe this makes it
much more readable compared to having long lines with few line returns,
especially on high-resolution displays. Set the width to 1000px instead
of the previous 800px, which felt slightly too thin.
I think the removed comment here does not make that much sense for us.
It was added by commit 0c1e108bc6c4 ("sphinx: add CSS theme override"),
and I believe is a simply copy and paste of what was is set in the Linux
kernel, added by commit 9abaf979abb2 ("doc-rst: customize RTD theme,
table & full width") [1].
[1]: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=9abaf979abb2
(From yocto-docs rev: 680edf7ffdf2286c64c32de74be5b6353294122f)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
(cherry picked from commit 98234c9d3a0846d719630914bea8599da9f51374)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Paul Barker <paul@pbarker.dev>
The reference to STAGING_DIR* variables in the description of
DEPENDS was misleading, as it pointed at STAGING_DIR which is
unrelated in this context.
(From yocto-docs rev: 48d15a62ed7c004fd6e1dced03923bac529c435e)
Signed-off-by: Adam Blank <adam.blank.g@gmail.com>
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
(cherry picked from commit 2da8e6334e3d3362c9177f78a1216156417903fc)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Slightly reword to emphasize the sysroots' roles during the build.
Drop double back-quote from the uses of '-native' to make it a bit
easier on the eyes.
(From yocto-docs rev: e98b2231e76243734820efc28895ab11d20b0330)
Signed-off-by: Adam Blank <adam.blank.g@gmail.com>
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
(cherry picked from commit 15bbfeee88eee706e06b63116c9bf0cbfb2fd91c)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Slightly reword to emphasise the order of steps during staging.
Further clarify those variables' relation to STAGING_DIR* variables.
(From yocto-docs rev: 4b219d437a5674aa71b6b2544d1548987202203f)
Signed-off-by: Adam Blank <adam.blank.g@gmail.com>
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
(cherry picked from commit eeb22235d5310ed440692914851df0b7aac056a4)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Don't refer to it as temporary. Update the default value.
(From yocto-docs rev: 3786a02e4478c4e73531479d50d1be6e8dd8b4c7)
Signed-off-by: Adam Blank <adam.blank.g@gmail.com>
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
(cherry picked from commit a1432f24c94a26b372164704cf18b3c6a73b34f5)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Make it more evident, that it is first populated by files from
some recipes, and later used as source of those files for the
others (staging and sharing files).
(From yocto-docs rev: 156c7c685b97943bcfa5309f9656a4b9e05e44a3)
Signed-off-by: Adam Blank <adam.blank.g@gmail.com>
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
(cherry picked from commit cad256411e2bc380e27e2fc4ea3140476596c823)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Paul Barker <paul@pbarker.dev>
STAGING_DIR is not in direct relation to recipe-sysroot*
directries. Also it does not participate in packaging, but rather
in staging and sharing files among recipes.
(From yocto-docs rev: 0838936ad05a8d5ed410767f389d4fd1a4e379b3)
Signed-off-by: Adam Blank <adam.blank.g@gmail.com>
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
(cherry picked from commit 0ff189fcb82f5e845951c939197835d0a1daf87b)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Paul Barker <paul@pbarker.dev>
When SPDX_INCLUDE_COMPILED_SOURCES is enabled, only include the
source code files that are used during compilation.
It uses debugsource information generated during do_package.
This enables an external tool to use the SPDX information to disregard
vulnerabilities that are not compiled.
As example, when used with the default config with linux-yocto, the spdx size is
reduced from 156MB to 61MB.
(From OE-Core rev: c6a2f1fca76fae4c3ea471a0c63d0b453beea968)
Adapted to existing files for SPDX3.0
Tested with:
- bitbake world on oe-core
- oe-selftest --run-tests spdx.SPDX30Check
Regarding SPDX2.2, the respective backport was already performed in
OE-Core rev: a2866934e58fb377a73e87576c8594988a63ad1b
(From OE-Core rev: 1c7dfab26d69a87bb026e05b3bbf6a266858c0d1)
Signed-off-by: João Marcos Costa (Schneider Electric) <joaomarcos.costa@bootlin.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
pip vendors distlib which ships Windows launcher template binaries
(*.exe) under pip/_vendor/distlib. These files are only used on
Windows systems but are installed and packaged for target, native,
and nativesdk builds.
Remove the distlib *.exe templates when not building for a mingw
(mingw32/mingw64) host to avoid shipping unused Windows binaries and
reduce package noise.
(From OE-Core rev: 9f2a6cfda6a2305f52411ca8121f27c8a5a91fa2)
Signed-off-by: Krupal Ka Patel <krkapate@cisco.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 90d208fbb06b6e6b5aaddb0048fd6e2e1d46c8bd)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
setuptools installs Windows launcher executables (cli*.exe, gui*.exe)
into site-packages. These binaries are only used on Windows platforms
but are packaged for target, native, and nativesdk builds.
Remove the Windows launcher executables when not building for a mingw
(mingw32/mingw64) host to avoid shipping unused Windows binaries.
(From OE-Core rev: a618c504ba69d20eec08944c577b15a48b1ac578)
Signed-off-by: Krupal Ka Patel <krkapate@cisco.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit cf7c79f3962f2be99cfda47e8cc730091e6a18cb)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Hitendra Prajapati
Vijay Anusuri
João Marcos Costa (Schneider Electric)
Anil Dongare
Hemanth Kumar M D
Adarsh Jagadish Kamini
Ross Burton
Jinfeng Wang
Dawid Bijak
Robert P. J. Day
Johan Anderholm
Trevor Gamblin
Antonin Godard
Lee Chee Yang
Adam Blank
Yanis BINARD
Paul Barker
Nguyen Dat Tho
Yoann Congal
Krupal Ka Patel