diff options
| author | Patrick Williams <patrick@stwcx.xyz> | 2024-04-05 15:04:11 +0300 |
|---|---|---|
| committer | Patrick Williams <patrick@stwcx.xyz> | 2024-04-13 00:00:11 +0300 |
| commit | 03514f1996efa799e50da744818ba331c2e893b6 (patch) | |
| tree | 170526c40430aa0a3984afe0943972b499f9db97 /meta-security | |
| parent | a55b31efd47bad0a2eece9fad6acfbfb4950b83b (diff) | |
| download | openbmc-03514f1996efa799e50da744818ba331c2e893b6.tar.xz | |
subtree updates
meta-security: 30e755c592..283a773f24:
Armin Kuster (2):
meta-security: Drop ${PYTHON_PN}
openscap: update to tip to fix new build issue.
Jeremy A. Puhlman (4):
arpwatch: fix misspelling of PACKAGECONFIG
aprwatch: Add path for sendmail
Check for usrmerge before removing /usr/lib
arpwatch: install man8 dir
Kevin Hao (4):
docs: dm-verity.txt: Fix a typo
dm-verity: Adjust the image names according to the oe-core change
dm-verity: Set the IMAGE_FSTYPES correctly when dm-verity is enabled
dm-verity-image-initramfs: Set IMAGE_NAME_SUFFIX to empty
Max Krummenacher (1):
layer.conf: Update for the scarthgap release series
Mingli Yu (1):
python3-pyinotify: Make asyncore support optional for Python 3
poky: 7165c23237..110ee701b3:
Alejandro Hernandez Samaniego (1):
python3-manifest: Sync RDEPENDS with latest version
Alexander Kanavin (11):
meson: correct upstream version check (exclude pre-releases)
cargo-c-native: convert from git fetcher to crate fetcher
cargo-c-native: update 0.9.18 -> 0.9.30
man-pages: use env from coreutils-native
sdk-manual: correctly describe separate build-sysroots tasks in direct sdk workflows
dev/ref-manual: document conf-summary.txt together with conf-notes.txt
dev-manual: improve descriptions of 'bitbake -S printdiff'
wayland: fix upstream version check by asking gitlab directly
python3: correct upstream version check
bitbake: bitbake: improve descriptions of '-S printdiff'
selftest/sstatetests: run CDN check twice, ignoring errors the first time
Alexandre Truong (1):
oeqa/selftest/devtool: fix test_devtool_add_git_style2
Anibal Limon (1):
wic: bootimg-partition allow to set var to get boot files
BELOUARGA Mohamed (1):
ref-manual: add documentation of the variable SPDX_NAMESPACE_PREFIX
Bartosz Golaszewski (1):
linux-firmware: update to 20240312
Baruch Siach (1):
oeqa/selftest/overlayfs: test read-only rootfs
Bruce Ashfield (16):
linux-yocto/6.6: cfg: generic arm64
linux-yocto/6.6: cfg: riscv XHCI
linux-yocto/6.6: update to v6.6.21
linux-yocto/6.6: update CVE exclusions (6.6.21)
linux-yocto/6.6: cfg: drop unsettable options
linux-yocto/6.6: drm/tilcdc: Set preferred depth
linux-yocto/6.6: update to v6.6.22
linux-yocto/6.6: update CVE exclusions (6.6.22)
yocto-bsps: update to v6.6.21
linux-yocto/6.6: cfg: genericarm64 platform/peripheral support
linux-yocto/6.6: cfg: genericarm64 configuration updates
linux-yocto/6.6: nftables: ptest and cleanup tweaks
linux-yocto/6.6: update to v6.6.23
linux-yocto/6.6: update CVE exclusions (6.6.23)
linux-yocto-dev: bump to v6.9
lttng-modules: update to v2.13.12
Changqing Li (1):
dnf: fix Exception handling for class ProcessLock
Chen Qi (1):
ovmf: set CVE_PRODUCT and CVE_VERSION
Christian Taedcke (1):
kernel-fitImage: only include valid compatible line
Derek Erdmann (1):
bitbake: fetch2/git: Install Git LFS in local repository config
Enrico Jörns (3):
cml1: remove needless check for write_taint attribute
cml1: prompt location of updated .config after do_menuconfig()
perf: fix TMPDIR contamination for recent mainline kernels
Enrico Scholz (1):
shadow: fix copydir operation with 'pseudo'
Felix Moessbauer (1):
bitbake: utils: better estimate number of available cpus
Harish Sadineni (3):
gcc: Oe-selftest failure analysis - fix for tcl errors
gcc: Oe-selftest failure analysis - fix for vect-simd test failures
binutils: gprofng - change use of bignum to use of bignint
Jermain Horsman (1):
bblayers/makesetup.py: Move git utility functions to oe.buildcfg module
Joe Slater (1):
systemd: enable mac based names in NamePolicy
Jose Quaresma (5):
go.bbclass: set GOPROXY
elfutils: fix unused variable BUFFER_SIZE
go: keep the patches in order
go: upgrade 1.22.1 -> 1.22.2
sstatesig: fix netrc.NetrcParseError exception
Joshua Watt (4):
sstatesig: Set hash server credentials from bitbake variables
bitbake: siggen: Add support for hashserve credentials
sstatesig: Warn on bad .netrc
bitbake: bitbake-hashclient: Warn on bad .netrc
Jörg Sommer (1):
autotools: update link in comment for cross compiling
Kevin Hao (1):
image-live.bbclass: Adjust the default value for INITRD_LIVE
Khem Raj (13):
systemd: Check for directory before chmod'ing it
llvm: Update to 18.1.1 release
elfutils: Fix build break with clang
glibc: Update to tip of 2.39 branch
pam: Fix build with musl
piglit: Switch to upstreamed patch for musl fix
qemuriscv: Fix kbd and mouse emulation for qemuriscv64
llvm: Upgrade to 18.1.2 bugfix release
glibc: Repace aarch configure patch fix with a backport
valgrind: Backport fixes from 3.22 branch
tcl: Forward port skip logic for musl ptests
readline: Apply patches from readline-8.2-patches
mesa: Drop LLVM-17 patch
Lee Chee Yang (1):
migration-guides: add release notes for 4.0.17
Marcel Ziswiler (1):
mesa: enable imagination powervr support
Markus Volk (11):
mesa: fix opencl-spirv build
vala: merge bb and inc files
vala: fix for gtk4 prior to 4.14
libsoup: enable vapi support
gsettings-desktop-schemas: update 45.0 -> 46.0
libadwaita: update 1.4.4 -> 1.5.0
gtk4: update 4.12.5 -> 4.14.1
systemd: disable mdns feature in resolved for zeroconf
webkitgtk: update 2.42.5 -> 2.44.0
gtk+3: disable wayland without opengl
epiphany: update 45.3 -> 46.0
Martin Jansa (2):
contributor-guide: be more specific about meta-* trees
pixman: explicitly disable openmp in native builds
Max Krummenacher (1):
git: git-replacement-native: depend on ca-certificate
Michael Opdenacker (8):
manuals: add initial stylechecks with Vale
profile-manual: usage.rst: formatting fixes
manuals: use "manual page(s)"
profile-manual: usage.rst: fix reference to bug report
documentation: Makefile: remove releases.rst in "make clean"
migration-guides: draft notes for upcoming release 5.0
manuals: add initial stylechecks with Vale
profile-manual: usage.rst: further style improvements
Oleh Matiusha (3):
bash: improve reproducibility
curl: improve reproducibility
gmp: improve reproducibility
Paul Barker (1):
kernel: Fix check_oldest_kernel
Peter A. Bigot (1):
bitbake: lib/bb: support NO_COLOR
Peter Kjellerstedt (1):
util-linux: Set the license for util-linux-fcntl-lock to MIT
Philippe Rivest (1):
bitbake: bitbake: fetch2/git: Escape parentheses in git src name
Quentin Schulz (1):
u-boot: fix externalsrc not triggering do_configure on defconfig changes
Randy MacLeod (1):
gstreamer: upgrade 1.22.10 -> 1.22.11
Richard Purdie (10):
poky: Update to prepare for scarthgap release
layer.conf: Prepare for release, drop nanbield LAYERSERIES
expat: Upgrade 2.6.1 -> 2.6.2
bash/flex: Ensure BUILD_FLAGS doesn't leak onto target
uninative: Add pthread linking workaround
poky-altcfg: Default to ipk packaging
util-linux: Add missing MIT license
util-linux: Add fcntl-lock
run-postinsts: Add workaround for locking deadlock issue
oeqa/sstatetests: Fix race issue
Ross Burton (22):
genericarm64.wks: reorder partitions
genericarm64: clean up kernel modules and firmware
linux-firmware: add support for deduplicating the firmware
linux-firmware: set LICENSE field for -liquidui and -mellanox
linux-firmware: remove pointless linux-firmware-gplv2-license package
curl: improve run-ptest
curl: increase test timeouts
gstreamer1.0: improve test reliability
linux-yocto: put COMPATIBLE_MACHINE first
linux-yocto: implicitly track oe-core's kernel version for genericarm64
bitbake: fetch2: handle URIs with single-valued query parameters
python3_pip517: just count wheels in the directory, not subdirectories
python-*: don't set PYPI_ARCHIVE_NAME and S when PYPI_PACKAGE is sufficient
tcl: improve run-ptest
tcl: skip I/O channel 46.1
genericarm64: add qemuboot configuration
classes/qemuboot: add depends on qemu-system-native and qemu-helper-native
README.hardware.md: fix Markdown formatting
README.hardware.md: add section on genericarm64 on qemu
glib-2.0: skip a timing sensitive ptest
openssl: fix crash on aarch64 if BTI is enabled but no Crypto instructions
curl: fix quoting when disabling flaky tests
Ryan Eatmon (1):
perf: Fix QA error due to most recent kernel
Sam Van Den Berge (1):
shadow: don't install libattr.so.* when xattr not in DISTRO_FEATURES
Sava Jakovljev (1):
bitbake: bitbake-worker: Fix bug where umask 0 was not being applied to a task
Simone Weiß (1):
gnutls: upgrade 3.8.3 -> 3.8.4
Soumya Sambu (1):
go: Upgrade 1.22.0 -> 1.22.1
Sourav Kumar Pramanik (1):
libseccomp: Add back in PTESTS_SLOW list
Sundeep KOKKONDA (1):
rust: reproducibility issue fix with v1.75
Tim Orling (2):
coreutils: drop obsolete liberror-perl RDEPENDS
liberror-perl: move to meta-perl
Timon Bergelt (1):
populate_sdk_ext.bbclass: only overwirte lsb string if uninative is used
Tom Hochstein (2):
bmaptool: Add bmap-tools runtime alias for compatibility
toolchain-shar-relocate.sh: Add check for missing command 'file'
Trevor Woerner (1):
bmaptool: update to latest
Ulrich Ölmann (1):
ref-manual: classes: update description of class 'image_types'
Viswanath Kraleti (1):
bitbake: fetch2: Fix misleading "no output" msg
Wang Mingyu (1):
libadwaita: upgrade 1.4.3 -> 1.4.4
William Lyu (1):
openssh: Add a workaround for ICE on powerpc64le
Xiangyu Chen (3):
lttng-tools: skip kernel tests if no kernel modules present
ltp: fix missing connectors tests in scenario_groups/default
lttng-tools: fix rotation-destroy-flush test fails if no kernel module present
Yang Xu (1):
bitbake: bitbake-worker: Fix silent hang issue caused by unexpected stdout content
Yannick Rodriguez (1):
linux-firmware: Move Intel 9260 modules firmware.
Yash Shinde (1):
glibc: Skip 2 qemu tests that can hang in oe-selftest
Yi Zhao (1):
libtirpc: drop redundant PACKAGECONFIG
Yoann Congal (6):
cve-update-nvd2-native: Fix typo in comment
cve-update-nvd2-native: Add an age threshold for incremental update
cve-update-nvd2-native: Remove duplicated CVE_CHECK_DB_FILE definition
cve-update-nvd2-native: nvd_request_next: Improve comment
cve-update-nvd2-native: Fix CVE configuration update
cve-update-nvd2-native: Remove rejected CVE from database
Yogesh Tyagi (1):
lttng-modules: fix v6.8+ build
david d zuhn (1):
bitbake: bitbake-worker: allow '=' in environment variable values
lixiaoyong (3):
kernel-module-split.bbclass: enhance objcopy command call for kernel compilation with llvm
utils: enhance readelf command call with llvm
oe/package: enhance objdump command call with llvm
meta-raspberrypi: 92a9b7a012..d072cc8a48:
Khem Raj (9):
linux-raspberrypi: Add recipe for 6.6 LTS kernel
bluez-firmware-rpidistro: Upgrade to 1.2-9+rpt3 release
linux-firmware-rpidistro: Upgrade to bookworm/20230625-2+rpt2
raspberrypi-firmware: Fetch using git URI
rpi-base: Add missing broadcom/ prefix to find DTB files
rpi-default-versions: Switch default kernel to 6.6
linux-raspberrypi_6.6: Bump to 6.6.22
rpi-bootfiles: Resort to github APIs for tarballs
raspberrypi-firmware: Revert to debian archive
Martin Jansa (1):
userland: fix installed-vs-shipped in multilib builds
jdavidsson (1):
rpi-base: Add hifiberry-dacplusadc overlay
meta-arm: aba9250494..d9e18ce792:
Abdellatif El Khlifi (1):
arm-bsp/corstone1000: add documentation disclaimer
Alexander Sverdlin (1):
optee-ftpm: fix EARLY_TA_PATHS passed to optee-os
Ali Can Ozaslan (4):
arm-bsp/trusted-firmware-m: corstone1000: update to 2.0
arm-bsp/trusted-services: corstone1000: Client Id adjustments after TF-M 2.0
arm/trusted-firmware-m: Change GNU Arm compiler version for TF-M 2.0
arm-bsp/trusted-firmware-a: n1sdp: update to 2.10
Anusmita Dutta Mazumder (2):
arm-bsp/n1sdp: Update scp-firmware version
arm-bsp/n1sdp: Update EDK2 version
Bence Balogh (2):
arm-bsp/u-boot: corstone1000: fix SMCCC_ARCH_FEATURES detection in the PSCI driver
arm-bsp/trusted-firmware-a: corstone1000: remove SMCCC_ARCH_FEATURES discovery workaround
Delane Brandy (1):
arm/trusted-firmware-a: fix mbedTLS version
Drew Reed (2):
kas: Corstone-1000 kas files updated
bsp: Corstone-1000 userguide updates
Emekcan Aras (2):
arm-bsp/trusted-firmware-a: Upgrade Corstone1000 to TF-A v2.10
arm/trusted-services: Add recipe for block storage service
Jon Mason (17):
README: Add information about release process and mailing list
arm/linux-yocto: remove unreferenced patch
arm/optee: disable clang due to breakage
arm-bsp/tf-a-tests: remove corstone1000 intermediate SHA
arm-bsp/tfa-tests: move n1sdp patch to platform directory
CI: update kas to 4.3.1
arm/edk2: update to 202402
arm/trusted-firmware-a: update to 2.10.2
arm/sbsa-acs: update to 7.1.4
arm/scp-firmware: update to v2.14.0
arm-toolchain/gcc-arm-none-eabi: remove 11.2
CI: reduce coverage of dev kernel
arm/sbsa-acs: remove unreferenced patch
arm-toolchain: correct UPSTREAM_CHECK
Revert "arm/rmm: Add bitbake, include and patch file for RMM firmware"
arm/sbsa-acs: use UPSTREAM_CHECK_URI for version checking
arm: use UPSTREAM_CHECK_COMMITS for git versioned recipes
Mathieu Poirier (1):
arm/rmm: Add bitbake, include and patch file for RMM firmware
Ross Burton (3):
arm arm-bsp: enable patch-status warnings
Add SECURITY.md
CI: ignore netrc warnings caused by Kas
meta-openembedded: a0237019f5..a6bcdca5b4:
Bartosz Golaszewski (1):
libgpiod: update to v2.1.1
Chad Rockey (1):
cppzmq-dev expects /usr/lib/libzmq.a
Changqing Li (1):
postgresql: fix a runtime error
Chen Qi (1):
tcprelay: fix a minor cross compilation do_configure issue
Christophe Chapuis (9):
lvgl: fix typo in lv-conf.inc
lvgl: install lv_conf.h
lvgl: remove useless FILES include
lvgl: cleanup sed instructions in lv-conf.inc
lvgl: add more variables to lv-conf.inc
lvgl: fix libdrm include
lvgl: lv-conf.inc: generalize sed instructions
lvgl: make libdrm include conditional
lvgl: cleanup sed expression
Dan McGregor (2):
python3-pylint: Update to 3.1.0
python3-pylint: Fix ptest failures
Derek Straka (1):
python3-dbus: re-add recipe with latest patches and add ptest
Etienne Cordonnier (1):
uutils-coreutils: upgrade 0.0.24 -> 0.0.25
Fathi Boudra (1):
python3-django: upgrade 4.2.10 -> 4.2.11
Guðni Már Gilbert (2):
python3-ecdsa: remove python3-pbr
python3-ecdsa: cleanup DEPENDS
Jaeyoon Jung (1):
lvgl: Set resolution prior to buffer
Joe Slater (1):
googletest: allow for shared libraries
Jose Quaresma (1):
ostree: Upgrade 2024.4 -> 2024.5
Jörg Sommer (3):
sngrep: new recipe for ncurses SIP Messages flow viewer
spandsp: new telephony DSP library
bluez-tools: New recipe for bluez5 tools
Kai Kang (2):
Packages depends on libadwaita should require distro feature opengl
thin-provisioning-tools: install binary to ${sbindir}
Khem Raj (55):
squid: Upgrade to 6.8
libosinfo: Fix build with libxml2 v2.12
xmlstarlet: Fix build with API breakage in libxml2 2.12
mariadb: Fix build with libxml2 2.12 ABI changes
libmusicbrainz: Update to tip of trunk
gnome-commander: Fix build with taglib 2.0
gnome-online-accounts: Fix build with libxml2 2.12
vlc: Upgrade to 3.0.20
netcf: Fix build with latest gnulib
php: Upgrade to 8.2.16
vlc: Fix build on 32bit x86
libtinyxml2: Extend for nativesdk
lvgl: Fix dev-elf build QA
layer.conf: Update for the scarthgap release series
dietsplash: Update and fix build with musl
frr: Upgrade to latest on 9.1 stable
frr: Fix build on newer musl
layer.conf: Prepare for release, drop nanbield LAYERSERIES
libcamera: Fix clang support patches
plocate: Fix sys/stat.h and linux/stat.h conflicts with musl
liburing: Upgrade to 2.5
openflow: Delete recipe for 1.0
openflow: Merge .inc into .bb
openflow: Fix build with musl
tracker-miners: Disable seccomp support on musl
libcamera: Fix build on musl systems
ipset: Update to 7.21
ot-daemon: Update to tip of trunk
ot-br-posix: Update to latest
wpantund: Update to latest
xfsdump: Fix build with musl >= 1.2.5
xfstests: Fix build with musl >= 1.2.5
net-snmp: Fix build with musl
rdma-core: Fix build with musl >= 1.2.5
ssmtp: Fix build with musl >= 1.2.5
autofs: Fix build with musl >= 1.2.5
lvm2: Fix build with musl 1.5.2+
sanlock: Fix build with musl >= 1.2.5
ndctl: Fix build issues seen with musl 1.2.5
sdbus-c++-libsystemd: Upgrade to 255.4 release of systemd
sdbus-c++,sdbus-c++-tools: Upgrade to 1.5.0 release
wtmpdb: Upgrade to 0.11.0 release
uftrace: Fix build with musl >= 1.2.5
fio: Upgrade to 3.36+git
i2cdev: Include libgen.h on musl
directfb: Fix build with musl >= 1.2.5
iwd: Upgrade to 2.16
minifi-cpp: Fix libsodium build on aarch64/clang
multipath-tools: Fix build with musl >= 1.2.5
aer-inject: Fix build with latest musl
aer-inject: Replace hardcoded /usr with ${prefix}
microsoft-gsl: Disable disabled-macro-expansion warning as error on clang/musl
meta-python-image-ptest: Use 2G RAM for some demanding tests
python3-pydbus: Add bash dependency for ptests
highway,libjxl: Remove -mfp16-format=ieee when using clang compiler
Leon Anavi (7):
python3-anyio: Upgrade 4.2.0 -> 4.3.0
python3-httpx: Upgrade 0.26.0 -> 0.27.0
python3-multidict: Upgrade 6.0.4 -> 6.0.5
python3-croniter: Upgrade 2.0.1 -> 2.0.3
python3-paho-mqtt: Upgrade 1.6.1 -> 2.0.0
python3-typeguard: Upgrade 4.1.5 -> 4.2.1
python3-cachetools: Upgrade 5.3.2 -> 5.3.3
Marek Vasut (14):
lvgl: Drop dialog-lvgl
lvgl: Upgrade to LVGL 9 series
lvgl: Rename lv-drivers.inc to lv-conf.inc
lvgl: Add SDL2 fullscreen mode configuration option
lvgl: Configure assertions based on DEBUG_BUILD
lvgl: Default to XRGB8888 DRM framebuffer
lvgl: Build shared library
lvgl: Replace sed patching with real patches
lvgl: Generate proper shared libraries with version suffix
lvgl: Reinstate demo configuration settings
lvgl: Update to 9.1.0
lvgl: Drop superfluous ALLOW_EMPTY
lvgl: Drop unnecessary PV append
lvgl: Deduplicate PACKAGECONFIG into lv-conf
Markus Volk (66):
mozjs-115: fix reproducibility issue
webp-pixbuf-loader: update 0.2.5 -> 0.2.7
gnome-control-center: fix reproducibility issue
gnome-disk-utility: fix reproducibility issue
gnome-settings-daemon: fix reproducibility issue
gnome-terminal: fix reproducibility issue
libvncserver: fix reproducibility issue
editorconfig-core-c: fix reproducibility issue
crossguid: fix reproducibility issue
waylandpp: fix reproducibility issue
polkit: remove unneeded workaround
gtk-vnc: fix reproducibility issue
pipewire: update 1.0.3 -> 1.0.4
mutter: remove zenity from rdepends
mutter: update 45.4 -> 46.0
gnome-shell: update 45.4 -> 46.0
gnome-settings-daemon: update 45.0 -> 46.0
gnome-software: update 45.3 -> 46.0
evince: update 45.0 -> 46.0
gnome-online-accounts: update 3.48.0 -> 3.50.0
evolution-data-server: build with webkitgtk4
folks: update 0.15.7 -> 0.15.8
gnome-control-center: update 45.3 -> 46.0
xdg-desktop-portal-gnome: update 45.1 -> 46.0
tracker: update 3.6.0 -> 3.7.0
tracker-miners: update 3.6.2 -> 3.7.0
freerdp3: add recipe
wireplumber: update 0.4.17 -> 0.5.0
tecle: update 45.0 -> 46.0
gnome-calculator: update 45.0.2 -> 46.0
gnome-session: update 45.0 -> 46.0
gnome-remote-desktop: update 45.1 -> 46.0
gnome-calendar: update 45.1 -> 46.0
libgweather4: update 4.4.0 -> 4.4.2
gtksourceview5: update 5.10.0 -> 5.12.0
gnome-control-center: use gcr4 variant
libcloudproviders: update 0.3.5 -> 0.3.6
gnome-themes-extra: build with gtk+3
gtk4mm: add recipe
gnome-system-monitor: update 45.0.1 -> 46.0
gnome-boxes: update 45.0 -> 46.0
eog: update 45.2 -> 45.3
gparted: update 1.5.0 -> 1.6.0
libgtop: update 2.41.1 -> 2.41.3
gnome-bluetooth: update 42.8 -> 46.0
gnome-text-editor: update 45.1 -> 46.0
gnome-chess: update 43.2 -> 46.0
gnome-disk-utility: update 45.0 -> 46.0
gnome-shell-extensions: update 45.2 -> 46.0
msgraph: add recipe
gvfs: update 1.52.2 -> 1.54.0
tracker-miners: drop buildpath from tracker-miner-fs-3
evolution-data-server: disable tests and examples
tracker-miners: fix reproducibility issue for landlock
file-roller: update 43.1 -> 44.0
apache2: preset mpm=prefork by default
gnome-user-share: add recipe
gnome-control-center: update 46.0 -> 46.0.1
gdm: update 45.0.1 -> 46.0
gnome-user-share: remove hardcoded paths
ghex: update 45.1 -> 46.0
libjxl: add recipe
gnome-backgrounds: add runtime depenency for libjxl
highway: add recipe
webkitgtk3: update 2.42.5 -> 2.44.0
gnome-control-center: restore Upstream-Status line
Martin Jansa (5):
unionfs-fuse, dropwatch, postgresql, yasm, multipath-tools, python3-pybind11: add missing Upstream-Status
recipes: Drop remaining PR values from recipes
freerdp3: disable shadow without x11
xfstests: upgrade to v2024.03.03
gtkmm4: add x11 to REQUIRED_DISTRO_FEATURES
Maxin John (7):
tracker: remove unused patch
openal-soft: remove unused patches
libio-pty-perl: remove unsed patch
opengl-es-cts: remove unused patch
emacs: remove unused patch
webkitgtk3: remove unused patch
python3-eth-utils: remove unused patches
Michael Heimpold (1):
ser2net: add a systemd service file
Mingli Yu (4):
gosu: Upgrade to 1.17
googletest: Pass -fPIC to CFLAGS
re2: Upgrade 2023.03.01 -> 2024.03.01
nss: Upgrade 3.74 -> 3.98
Ola x Nilsson (2):
abseil-cpp: Split so-files into separate packages
abseil-cpp: Split so-files into separate packages
Peter Kjellerstedt (3):
abseil-cpp: A little clean-up
libnice: Disable the examples and the tests
abseil-cpp: A little clean-up
Peter Marko (5):
jwt-cpp: fix cmake file install path
soci: fix buildpaths warning
libcpr: add new recipe
python3-grpcio: cleanup dependencies
microsoft-gsl: add new recipe including ptest
Petr Gotthard (2):
libmbim: Revert back to the latest stable 1.30.0
libqmi: Revert back to the latest stable 1.34.0
Randy MacLeod (2):
rsyslog: update from 8.2306.0 to 8.2402.0
nftables: Add DESCRIPTION and HOMEPAGE
Richard Purdie (2):
imagemagick/lcms/fftw: Allow nativesdk versions to exist
buildtools-imagemagick: Add new recipe
Robert P. J. Day (1):
fmt: remove unnecessary "inherit ptest" directive
Robert Yang (6):
yaffs2-utils: Upgrade to 20221209
xfsprogs: 6.5.0 -> 6.6.0
gnulib: 2018-12-18 -> 202401
thin-provisioning-tools: 1.0.9 -> 1.0.12
gperftools: 2.10 -> 2.15
freeradius: 3.0.26 -> 3.2.3
Ross Burton (1):
python3-pydantic-core: just set PYPI_PACKAGE
Sam Van Den Berge (1):
python3-aiohttp: add missing dependencies
Samuli Piippo (1):
geoclue: enable demo agent
Thomas Roos (1):
usrsctp: upgrade to latest version
Tim Orling (1):
liberror-perl: move recipe from oe-core
Tomasz Żyjewski (1):
python: python-libusb1: add recipe
Wang Mingyu (124):
bats: upgrade 1.10.0 -> 1.11.0
c-ares: upgrade 1.26.0 -> 1.27.0
ctags: upgrade 6.1.20240114.0 -> 6.1.20240225.0
dbus-cxx: upgrade 2.5.0 -> 2.5.1
ddrescue: upgrade 1.27 -> 1.28
fetchmail: upgrade 6.4.37 -> 6.4.38
libtalloc: upgrade 2.4.1 -> 2.4.2
libtdb: upgrade 1.4.9 -> 1.4.10
neatvnc: upgrade 0.7.2 -> 0.8.0
ostree: upgrade 2024.3 -> 2024.4
python3-astroid: upgrade 3.0.3 -> 3.1.0
python3-cbor2: upgrade 5.6.1 -> 5.6.2
python3-dnspython: upgrade 2.6.0 -> 2.6.1
python3-eventlet: upgrade 0.35.1 -> 0.35.2
python3-gcovr: upgrade 7.0 -> 7.2
python3-google-api-core: upgrade 2.16.2 -> 2.17.1
python3-google-api-python-client: upgrade 2.118.0 -> 2.120.0
python3-grpcio(-tools): upgrade 1.60.1 -> 1.62.0
python3-ipython: upgrade 8.21.0 -> 8.22.1
python3-pdm: upgrade 2.12.3 -> 2.12.4
python3-pymisp: upgrade 2.4.185 -> 2.4.186
python3-scrypt: upgrade 0.8.20 -> 0.8.24
python3-sentry-sdk: upgrade 1.40.4 -> 1.40.6
smarty: upgrade 4.3.4 -> 4.4.1
stunnel: upgrade 5.69 -> 5.72
abseil-cpp: upgrade 20230802.1 -> 20240116.1
dnf-plugin-tui: upgrade 1.3 -> 1.4
boost-sml: upgrade 1.1.9 -> 1.1.11
ctags: upgrade 6.1.20240225.0 -> 6.1.20240310.0
dialog: upgrade 1.3-20240101 -> 1.3-20240307
flatbuffers: upgrade 23.5.26 -> 24.3.7
gjs: upgrade 1.78.4 -> 1.80.0
hwdata: upgrade 0.379 -> 0.380
iceauth: upgrade 1.0.9 -> 1.0.10
libdnet: upgrade 1.17.0 -> 1.18.0
libopus: upgrade 1.4 -> 1.5.1
libreport: upgrade 2.17.11 -> 2.17.15
libxaw: upgrade 1.0.15 -> 1.0.16
mcelog: upgrade 196 -> 197
networkd-dispatcher: upgrade 2.1 -> 2.2.4
openlldp: upgrade 1.1.0 -> 1.1.1
opensc: upgrade 0.24.0 -> 0.25.0
pcsc-lite: upgrade 2.0.1 -> 2.0.3
python3-a2wsgi: upgrade 1.10.2 -> 1.10.4
python3-apiflask: upgrade 2.1.0 -> 2.1.1
python3-argcomplete: upgrade 3.2.2 -> 3.2.3
python3-bandit: upgrade 1.7.7 -> 1.7.8
python3-blivet: upgrade 3.8.2 -> 3.9.1
python3-blivetgui: upgrade 2.4.2 -> 2.5.0
python3-django: upgrade 5.0.2 -> 5.0.3
python3-elementpath: upgrade 4.3.0 -> 4.4.0
python3-eth-abi: upgrade 5.0.0 -> 5.0.1
python3-eth-rlp: upgrade 1.0.1 -> 2.0.0
python3-flask-migrate: upgrade 4.0.5 -> 4.0.7
python3-google-api-python-client: upgrade 2.120.0 -> 2.122.0
python3-google-auth: upgrade 2.28.1 -> 2.28.2
python3-googleapis-common-protos: upgrade 1.62.0 -> 1.63.0
python3-grpcio-tools: upgrade 1.62.0 -> 1.62.1
python3-grpcio: upgrade 1.62.0 -> 1.62.1
python3-ipython: upgrade 8.22.1 -> 8.22.2
python3-mypy: upgrade 1.8.0 -> 1.9.0
python3-pydantic: upgrade 2.6.3 -> 2.6.4
python3-pymisp: upgrade 2.4.186 -> 2.4.187
python3-pymodbus: upgrade 3.6.4 -> 3.6.6
python3-pyperf: upgrade 2.6.2 -> 2.6.3
python3-pytest-lazy-fixtures: upgrade 1.0.5 -> 1.0.6
python3-pytest-timeout: upgrade 2.2.0 -> 2.3.1
python3-requests-oauthlib: upgrade 1.3.1 -> 1.4.0
python3-sentry-sdk: upgrade 1.40.6 -> 1.42.0
python3-tox: upgrade 4.13.0 -> 4.14.1
python3-traitlets: upgrade 5.14.1 -> 5.14.2
python3-types-psutil: upgrade 5.9.5.20240205 -> 5.9.5.20240316
python3-types-python-dateutil: upgrade 2.8.19.20240106 -> 2.9.0.20240316
tcsh: upgrade 6.24.10 -> 6.24.11
thingsboard-gateway: upgrade 3.4.4 -> 3.4.5
xmessage: upgrade 1.0.6 -> 1.0.7
xrefresh: upgrade 1.0.7 -> 1.1.0
gjs: upgrade 1.80.0 -> 1.80.2
gnome-backgrounds: upgrade 45.0 -> 46.0
gnome-font-viewer: upgrade 45.0 -> 46.0
libblockdev: upgrade 3.1.0 -> 3.1.1
libdeflate: upgrade 1.19 -> 1.20
libmbim: upgrade 1.30.0 -> 1.31.2
libqmi: upgrade 1.34.0 -> 1.35.2
libtommath: upgrade 1.2.1 -> 1.3.0
mcelog: upgrade 197 -> 198
metacity: upgrade 3.50.0 -> 3.52.0
python3-asgiref: upgrade 3.7.2 -> 3.8.1
python3-blivet: upgrade 3.9.1 -> 3.9.2
python3-cassandra-driver: upgrade 3.29.0 -> 3.29.1
python3-djangorestframework: upgrade 3.14.0 -> 3.15.1
python3-eth-rlp: upgrade 2.0.0 -> 2.1.0
python3-eventlet: upgrade 0.35.2 -> 0.36.1
python3-filelock: upgrade 3.13.1 -> 3.13.3
python3-flask-marshmallow: upgrade 1.2.0 -> 1.2.1
python3-flatbuffers: upgrade 24.3.7 -> 24.3.25
python3-google-api-core: upgrade 2.17.1 -> 2.18.0
python3-google-api-python-client: upgrade 2.122.0 -> 2.124.0
python3-google-auth: upgrade 2.28.2 -> 2.29.0
python3-graphviz: upgrade 0.20.1 -> 0.20.3
python3-gspread: upgrade 6.0.2 -> 6.1.0
python3-jdatetime: upgrade 4.1.1 -> 5.0.0
python3-pdm: upgrade 2.12.4 -> 2.13.2
python3-pyasn1-modules: upgrade 0.3.0 -> 0.4.0
python3-pymisp: upgrade 2.4.187 -> 2.4.188
python3-pytest-asyncio: upgrade 0.23.5 -> 0.23.6
python3-pytest-cov: upgrade 4.1.0 -> 5.0.0
python3-pytest-lazy-fixtures: upgrade 1.0.6 -> 1.0.7
python3-pywbem: upgrade 1.6.2 -> 1.6.3
python3-pywbemtools: upgrade 1.2.0 -> 1.2.1
python3-pyzstd: upgrade 0.15.9 -> 0.15.10
python3-requests-oauthlib: upgrade 1.4.0 -> 2.0.0
python3-sentry-sdk: upgrade 1.42.0 -> 1.44.0
python3-socketio: upgrade 5.11.1 -> 5.11.2
python3-thrift: upgrade 0.16.0 -> 0.20.0
python3-tox: upgrade 4.14.1 -> 4.14.2
python3-web3: upgrade 6.15.1 -> 6.16.0
st: upgrade 0.9 -> 0.9.1
thingsboard-gateway: upgrade 3.4.5 -> 3.4.6
thrift: upgrade 0.19.0 -> 0.20.0
tracker-miners: upgrade 3.7.0 -> 3.7.1
tracker: upgrade 3.7.0 -> 3.7.1
wireshark: upgrade 4.2.3 -> 4.2.4
wolfssl: upgrade 5.6.6 -> 5.7.0
William Lyu (3):
nftables: Fix ptest output format issues
nftables: Fix ShellCheck violations in ptest wrapper script "run-ptest"
nftables: Fix failed ptest testcases
Yi Zhao (13):
netplan: upgrade 0.106 -> 1.0
networkmanager: 1.44.0 -> 1.46.0
postfix: upgrade 3.8.5 -> 3.8.6
net-snmp: upgrade 5.9.3 -> 5.9.4
cryptsetup: upgrade 2.7.0 -> 2.7.1
samba: upgrade 4.19.4 -> 4.19.5
civetweb: remove buildpaths from civetweb-targets.cmake
minifi-cpp: upgrade 0.7.0 -> 0.15.0
openvpn: upgrade 2.6.9 -> 2.6.10
rocksdb: upgrade 7.9.2 -> 9.0.0
audit: upgrade 4.0 -> 4.0.1
netplan: add missing config directory
strongswan: upgrade 5.9.13 -> 5.9.14
alperak (15):
python3-icecream: add recipe
python3-invoke: add recipe
python3-traitlets: add ptest and update runtime dependencies
python3-google-auth-oauthlib: add ptest
python3-tomli-w: added recipe which is also include ptest
python3-pytest-localserver: added recipe which is also include ptest
python3-responses: add recipe
python3-google-auth: add ptest and update runtime dependencies
remove obsolete PIP_INSTALL_PACKAGE and PIP_INSTALL_DIST_PATH
python3-a2wsgi: added recipe which is also include ptest
python3-httptools: added recipe which is also include ptest
python3-wsproto: Add recipe
python3-portalocker: enable ptest
python3-validators: upgrade 0.22.0 > 0.24.0 and enable ptest
python3-pydbus: Drop ${PYTHON_PN}
chenheyun (1):
aer-inject:add new recipe
Change-Id: I3cf0e5c87ecdfa18c35d318cb64c0e6559348618
Signed-off-by: Patrick Williams <patrick@stwcx.xyz>
Diffstat (limited to 'meta-security')
20 files changed, 152 insertions, 96 deletions
diff --git a/meta-security/classes/dm-verity-img.bbclass b/meta-security/classes/dm-verity-img.bbclass index 2f212d6c7b..7f79548353 100644 --- a/meta-security/classes/dm-verity-img.bbclass +++ b/meta-security/classes/dm-verity-img.bbclass @@ -111,10 +111,10 @@ process_verity() { # Create wks.in fragment with build specific UUIDs for partitions. # Unfortunately the wks.in does not support line continuations... # First, the unappended filesystem data partition. - echo 'part / --source rawcopy --ondisk sda --sourceparams="file=${DM_VERITY_DEPLOY_DIR}/${DM_VERITY_IMAGE}-${MACHINE}.rootfs.${DM_VERITY_IMAGE_TYPE}.verity" --part-name verityroot --part-type="${DM_VERITY_ROOT_GUID}"'" --uuid=\"$ROOT_UUID\"" > $WKS_INC + echo 'part / --source rawcopy --ondisk sda --sourceparams="file=${DM_VERITY_DEPLOY_DIR}/${DM_VERITY_IMAGE}-${MACHINE}${IMAGE_NAME_SUFFIX}.${DM_VERITY_IMAGE_TYPE}.verity" --part-name verityroot --part-type="${DM_VERITY_ROOT_GUID}"'" --uuid=\"$ROOT_UUID\"" > $WKS_INC # note: no default mount point for hash data partition - echo 'part --source rawcopy --ondisk sda --sourceparams="file=${DM_VERITY_DEPLOY_DIR}/${DM_VERITY_IMAGE}-${MACHINE}.${DM_VERITY_IMAGE_TYPE}.vhash" --part-name verityhash --part-type="${DM_VERITY_RHASH_GUID}"'" --uuid=\"$RHASH_UUID\"" >> $WKS_INC + echo 'part --source rawcopy --ondisk sda --sourceparams="file=${DM_VERITY_DEPLOY_DIR}/${DM_VERITY_IMAGE}-${MACHINE}${IMAGE_NAME_SUFFIX}.${DM_VERITY_IMAGE_TYPE}.vhash" --part-name verityhash --part-type="${DM_VERITY_RHASH_GUID}"'" --uuid=\"$RHASH_UUID\"" >> $WKS_INC } verity_setup() { @@ -162,7 +162,7 @@ verity_setup() { verity_hash() { cd ${IMGDEPLOYDIR} ln -sf ${IMAGE_NAME}.${DM_VERITY_IMAGE_TYPE}.vhash \ - ${IMAGE_BASENAME}-${MACHINE}.${DM_VERITY_IMAGE_TYPE}.vhash + ${IMAGE_BASENAME}-${MACHINE}${IMAGE_NAME_SUFFIX}.${DM_VERITY_IMAGE_TYPE}.vhash } VERITY_TYPES = " \ @@ -177,6 +177,24 @@ CONVERSION_CMD:verity = "verity_setup ${type}" CONVERSION_DEPENDS_verity = "cryptsetup-native" IMAGE_CMD:vhash = "verity_hash" +def get_verity_fstypes(d): + verity_image = d.getVar('DM_VERITY_IMAGE') + verity_type = d.getVar('DM_VERITY_IMAGE_TYPE') + verity_hash = d.getVar('DM_VERITY_SEPARATE_HASH') + pn = d.getVar('PN') + + fstypes = "" + if not pn.endswith(verity_image): + return fstypes # This doesn't concern this image + + fstypes = verity_type + ".verity" + if verity_hash == "1": + fstypes += " vhash" + + return fstypes + +IMAGE_FSTYPES += "${@get_verity_fstypes(d)}" + python __anonymous() { verity_image = d.getVar('DM_VERITY_IMAGE') verity_type = d.getVar('DM_VERITY_IMAGE_TYPE') @@ -188,16 +206,12 @@ python __anonymous() { bb.warn('dm-verity-img class inherited but not used') return - if verity_image != pn: + if not pn.endswith(verity_image): return # This doesn't concern this image if len(verity_type.split()) != 1: bb.fatal('DM_VERITY_IMAGE_TYPE must contain exactly one type') - d.appendVar('IMAGE_FSTYPES', ' %s.verity' % verity_type) - if verity_hash == "1": - d.appendVar('IMAGE_FSTYPES', ' vhash') - # If we're using wic: we'll have to use partition images and not the rootfs # source plugin so add the appropriate dependency. if 'wic' in image_fstypes: diff --git a/meta-security/conf/layer.conf b/meta-security/conf/layer.conf index 3e8db1f17c..471674cd8b 100644 --- a/meta-security/conf/layer.conf +++ b/meta-security/conf/layer.conf @@ -9,7 +9,7 @@ BBFILE_COLLECTIONS += "security" BBFILE_PATTERN_security = "^${LAYERDIR}/" BBFILE_PRIORITY_security = "8" -LAYERSERIES_COMPAT_security = "nanbield" +LAYERSERIES_COMPAT_security = "nanbield scarthgap" LAYERDEPENDS_security = "core openembedded-layer" diff --git a/meta-security/docs/dm-verity.txt b/meta-security/docs/dm-verity.txt index c2dce73979..a538fa20ba 100644 --- a/meta-security/docs/dm-verity.txt +++ b/meta-security/docs/dm-verity.txt @@ -3,7 +3,7 @@ dm-verity and Yocto/OE The dm-verity feature provides a level of data integrity and resistance to data tampering. It does this by creating a hash for each data block of the underlying device as the base of a hash tree. There are many -documents out there to further explain the implementaion, such as the +documents out there to further explain the implementation, such as the in-kernel one itself: https://docs.kernel.org/admin-guide/device-mapper/verity.html diff --git a/meta-security/dynamic-layers/meta-python/recipes-devtools/python/python3-flask-script_2.0.6.bb b/meta-security/dynamic-layers/meta-python/recipes-devtools/python/python3-flask-script_2.0.6.bb index 377ad02fe7..ba0f974c33 100644 --- a/meta-security/dynamic-layers/meta-python/recipes-devtools/python/python3-flask-script_2.0.6.bb +++ b/meta-security/dynamic-layers/meta-python/recipes-devtools/python/python3-flask-script_2.0.6.bb @@ -10,5 +10,5 @@ PYPI_PACKAGE = "Flask-Script" inherit pypi setuptools3 RDEPENDS:${PN} += "\ - ${PYTHON_PN}-flask \ + python3-flask \ " diff --git a/meta-security/dynamic-layers/meta-python/recipes-devtools/python/python3-pyinotify/0001-Make-asyncore-support-optional-for-Python-3.patch b/meta-security/dynamic-layers/meta-python/recipes-devtools/python/python3-pyinotify/0001-Make-asyncore-support-optional-for-Python-3.patch new file mode 100644 index 0000000000..075a035fbc --- /dev/null +++ b/meta-security/dynamic-layers/meta-python/recipes-devtools/python/python3-pyinotify/0001-Make-asyncore-support-optional-for-Python-3.patch @@ -0,0 +1,92 @@ +From 478d595a7d086423733e9f5da5edfe9f1df48682 Mon Sep 17 00:00:00 2001 +From: Troy Curtis Jr <troy@troycurtisjr.com> +Date: Thu, 10 Aug 2023 21:51:15 -0400 +Subject: [PATCH] Make asyncore support optional for Python 3. + +Fixes #204. + +Upstream-Status: Submitted [https://github.com/seb-m/pyinotify/pull/205] + +Signed-off-by: Mingli Yu <mingli.yu@windriver.com> + +--- + python3/pyinotify.py | 50 +++++++++++++++++++++++++------------------- + 1 file changed, 28 insertions(+), 22 deletions(-) + +diff --git a/python3/pyinotify.py b/python3/pyinotify.py +index bc24313..f4a5a90 100755 +--- a/python3/pyinotify.py ++++ b/python3/pyinotify.py +@@ -68,7 +68,6 @@ from collections import deque + from datetime import datetime, timedelta + import time + import re +-import asyncore + import glob + import locale + import subprocess +@@ -1494,33 +1493,40 @@ class ThreadedNotifier(threading.Thread, Notifier): + self.loop() + + +-class AsyncNotifier(asyncore.file_dispatcher, Notifier): +- """ +- This notifier inherits from asyncore.file_dispatcher in order to be able to +- use pyinotify along with the asyncore framework. ++try: ++ import asyncore + +- """ +- def __init__(self, watch_manager, default_proc_fun=None, read_freq=0, +- threshold=0, timeout=None, channel_map=None): ++ class AsyncNotifier(asyncore.file_dispatcher, Notifier): + """ +- Initializes the async notifier. The only additional parameter is +- 'channel_map' which is the optional asyncore private map. See +- Notifier class for the meaning of the others parameters. ++ This notifier inherits from asyncore.file_dispatcher in order to be able to ++ use pyinotify along with the asyncore framework. + + """ +- Notifier.__init__(self, watch_manager, default_proc_fun, read_freq, +- threshold, timeout) +- asyncore.file_dispatcher.__init__(self, self._fd, channel_map) ++ def __init__(self, watch_manager, default_proc_fun=None, read_freq=0, ++ threshold=0, timeout=None, channel_map=None): ++ """ ++ Initializes the async notifier. The only additional parameter is ++ 'channel_map' which is the optional asyncore private map. See ++ Notifier class for the meaning of the others parameters. + +- def handle_read(self): +- """ +- When asyncore tells us we can read from the fd, we proceed processing +- events. This method can be overridden for handling a notification +- differently. ++ """ ++ Notifier.__init__(self, watch_manager, default_proc_fun, read_freq, ++ threshold, timeout) ++ asyncore.file_dispatcher.__init__(self, self._fd, channel_map) + +- """ +- self.read_events() +- self.process_events() ++ def handle_read(self): ++ """ ++ When asyncore tells us we can read from the fd, we proceed processing ++ events. This method can be overridden for handling a notification ++ differently. ++ ++ """ ++ self.read_events() ++ self.process_events() ++except ImportError: ++ # asyncore was removed in Python 3.12, but try the import instead of a ++ # version check in case the compatibility package is installed. ++ pass + + + class TornadoAsyncNotifier(Notifier): +-- +2.25.1 + diff --git a/meta-security/dynamic-layers/meta-python/recipes-devtools/python/python3-pyinotify_0.9.6.bb b/meta-security/dynamic-layers/meta-python/recipes-devtools/python/python3-pyinotify_0.9.6.bb index 963fcfe2ae..ff1b611bf5 100644 --- a/meta-security/dynamic-layers/meta-python/recipes-devtools/python/python3-pyinotify_0.9.6.bb +++ b/meta-security/dynamic-layers/meta-python/recipes-devtools/python/python3-pyinotify_0.9.6.bb @@ -3,16 +3,20 @@ LICENSE = "MIT" LIC_FILES_CHKSUM = "file://COPYING;md5=ab173cade7965b411528464589a08382" RDEPENDS:${PN} += "\ - ${PYTHON_PN}-ctypes \ - ${PYTHON_PN}-fcntl \ - ${PYTHON_PN}-io \ - ${PYTHON_PN}-logging \ - ${PYTHON_PN}-misc \ - ${PYTHON_PN}-shell \ - ${PYTHON_PN}-threading \ + python3-ctypes \ + python3-fcntl \ + python3-io \ + python3-logging \ + python3-misc \ + python3-shell \ + python3-threading \ " SRC_URI[md5sum] = "8e580fa1ff3971f94a6f81672b76c406" SRC_URI[sha256sum] = "9c998a5d7606ca835065cdabc013ae6c66eb9ea76a00a1e3bc6e0cfe2b4f71f4" +SRC_URI += " \ + file://0001-Make-asyncore-support-optional-for-Python-3.patch \ +" + inherit pypi setuptools3 diff --git a/meta-security/dynamic-layers/meta-python/recipes-security/fail2ban/python3-fail2ban_1.0.2.bb b/meta-security/dynamic-layers/meta-python/recipes-security/fail2ban/python3-fail2ban_1.0.2.bb index 135e97c17c..bf5f87d367 100644 --- a/meta-security/dynamic-layers/meta-python/recipes-security/fail2ban/python3-fail2ban_1.0.2.bb +++ b/meta-security/dynamic-layers/meta-python/recipes-security/fail2ban/python3-fail2ban_1.0.2.bb @@ -54,7 +54,7 @@ do_install:append () { do_install_ptest:append () { install -d ${D}${PTEST_PATH} install -d ${D}${PTEST_PATH}/bin - sed -i -e 's/##PYTHON##/${PYTHON_PN}/g' ${D}${PTEST_PATH}/run-ptest + sed -i -e 's/##PYTHON##/python3/g' ${D}${PTEST_PATH}/run-ptest install -D ${S}/bin/* ${D}${PTEST_PATH}/bin rm -f ${D}${PTEST_PATH}/bin/fail2ban-python } diff --git a/meta-security/meta-hardening/conf/layer.conf b/meta-security/meta-hardening/conf/layer.conf index c499e60a2b..8da050be18 100644 --- a/meta-security/meta-hardening/conf/layer.conf +++ b/meta-security/meta-hardening/conf/layer.conf @@ -8,7 +8,7 @@ BBFILE_COLLECTIONS += "harden-layer" BBFILE_PATTERN_harden-layer = "^${LAYERDIR}/" BBFILE_PRIORITY_harden-layer = "6" -LAYERSERIES_COMPAT_harden-layer = "nanbield" +LAYERSERIES_COMPAT_harden-layer = "nanbield scarthgap" LAYERDEPENDS_harden-layer = "core openembedded-layer" diff --git a/meta-security/meta-integrity/conf/layer.conf b/meta-security/meta-integrity/conf/layer.conf index d00298ac8b..aab9652250 100644 --- a/meta-security/meta-integrity/conf/layer.conf +++ b/meta-security/meta-integrity/conf/layer.conf @@ -20,7 +20,7 @@ INTEGRITY_BASE := '${LAYERDIR}' # interactive shell is enough. OE_TERMINAL_EXPORTS += "INTEGRITY_BASE" -LAYERSERIES_COMPAT_integrity = "nanbield" +LAYERSERIES_COMPAT_integrity = "nanbield scarthgap" # ima-evm-utils depends on keyutils from meta-oe LAYERDEPENDS_integrity = "core openembedded-layer" diff --git a/meta-security/meta-parsec/conf/layer.conf b/meta-security/meta-parsec/conf/layer.conf index 503953a881..e9d02306c2 100644 --- a/meta-security/meta-parsec/conf/layer.conf +++ b/meta-security/meta-parsec/conf/layer.conf @@ -8,7 +8,7 @@ BBFILE_COLLECTIONS += "parsec-layer" BBFILE_PATTERN_parsec-layer = "^${LAYERDIR}/" BBFILE_PRIORITY_parsec-layer = "5" -LAYERSERIES_COMPAT_parsec-layer = "nanbield" +LAYERSERIES_COMPAT_parsec-layer = "nanbield scarthgap" LAYERDEPENDS_parsec-layer = "core clang-layer" BBLAYERS_LAYERINDEX_NAME_parsec-layer = "meta-parsec" diff --git a/meta-security/meta-tpm/conf/layer.conf b/meta-security/meta-tpm/conf/layer.conf index 8075706269..58b61d4d2b 100644 --- a/meta-security/meta-tpm/conf/layer.conf +++ b/meta-security/meta-tpm/conf/layer.conf @@ -8,7 +8,7 @@ BBFILE_COLLECTIONS += "tpm-layer" BBFILE_PATTERN_tpm-layer = "^${LAYERDIR}/" BBFILE_PRIORITY_tpm-layer = "6" -LAYERSERIES_COMPAT_tpm-layer = "nanbield" +LAYERSERIES_COMPAT_tpm-layer = "nanbield scarthgap" LAYERDEPENDS_tpm-layer = " \ core \ diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/tpm2-pkcs11_1.9.0.bb b/meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/tpm2-pkcs11_1.9.0.bb index e0def0f704..9dea957612 100644 --- a/meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/tpm2-pkcs11_1.9.0.bb +++ b/meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/tpm2-pkcs11_1.9.0.bb @@ -24,9 +24,9 @@ do_compile:append() { do_install:append() { cd ${S}/tools export PYTHONPATH="${D}${PYTHON_SITEPACKAGES_DIR}" - ${PYTHON_PN} setup.py install --root="${D}" --prefix="${prefix}" --install-lib="${PYTHON_SITEPACKAGES_DIR}" --optimize=1 --skip-build + python3 setup.py install --root="${D}" --prefix="${prefix}" --install-lib="${PYTHON_SITEPACKAGES_DIR}" --optimize=1 --skip-build - sed -i -e "s:${PYTHON}:${USRBINPATH}/env ${PYTHON_PN}:g" "${D}${bindir}"/tpm2_ptool + sed -i -e "s:${PYTHON}:${USRBINPATH}/env python3:g" "${D}${bindir}"/tpm2_ptool } PACKAGES =+ "${PN}-tools" @@ -44,4 +44,4 @@ FILES:${PN} += "\ INSANE_SKIP:${PN} += "dev-so" RDEPENDS:${PN} = "p11-kit tpm2-tools " -RDEPENDS:${PN}-tools = "${PYTHON_PN}-pyyaml ${PYTHON_PN}-cryptography ${PYTHON_PN}-pyasn1-modules" +RDEPENDS:${PN}-tools = "python3-pyyaml python3-cryptography python3-pyasn1-modules" diff --git a/meta-security/recipes-compliance/openscap/files/0001-Replace-distutils.sysconfig-with-sysconfig.patch b/meta-security/recipes-compliance/openscap/files/0001-Replace-distutils.sysconfig-with-sysconfig.patch deleted file mode 100644 index f3f8cf773b..0000000000 --- a/meta-security/recipes-compliance/openscap/files/0001-Replace-distutils.sysconfig-with-sysconfig.patch +++ /dev/null @@ -1,57 +0,0 @@ -From 9a8e01f8421f92f40b4cbff6cf055538e9a0b0ae Mon Sep 17 00:00:00 2001 -From: Evgeny Kolesnikov <ekolesni@redhat.com> -Date: Thu, 25 Jan 2024 21:37:05 +0100 -Subject: [PATCH] Replace distutils.sysconfig with sysconfig - -Upstream-Status: Backport -[https://github.com/OpenSCAP/openscap/commit/9a8e01f8421f92f40b4cbff6cf055538e9a0b0ae] - -Signed-off-by: Yi Zhao <yi.zhao@windriver.com> ---- - docs/developer/developer.adoc | 2 +- - swig/python3/CMakeLists.txt | 2 +- - utils/CMakeLists.txt | 2 +- - 3 files changed, 3 insertions(+), 3 deletions(-) - -diff --git a/docs/developer/developer.adoc b/docs/developer/developer.adoc -index 77c6d5161..e923069cc 100644 ---- a/docs/developer/developer.adoc -+++ b/docs/developer/developer.adoc -@@ -113,7 +113,7 @@ On Ubuntu 18.04 and potentially other distro, the python3 dist-packages path is - If the following command: - - ---- --$ python3 -c "from distutils.sysconfig import get_python_lib; print(get_python_lib())" -+$ python3 -c "import sysconfig; print(sysconfig.get_path('platlib'))" - ---- - - returns "/usr/local/lib/python3/dist-packages" instead of a path like -diff --git a/swig/python3/CMakeLists.txt b/swig/python3/CMakeLists.txt -index 2594cf000..5f301326c 100644 ---- a/swig/python3/CMakeLists.txt -+++ b/swig/python3/CMakeLists.txt -@@ -26,7 +26,7 @@ add_custom_target(python3_compile ALL DEPENDS ${PYTHON_COMPILED_FILES}) - - if(NOT PYTHON_SITE_PACKAGES_INSTALL_DIR) - execute_process(COMMAND -- ${PYTHON_EXECUTABLE} -c "from distutils.sysconfig import get_python_lib; print(get_python_lib(True, prefix='${CMAKE_INSTALL_PREFIX}'))" -+ ${PYTHON_EXECUTABLE} -c "import sysconfig; print(sysconfig.get_path('platlib'))" - OUTPUT_VARIABLE PYTHON_SITE_PACKAGES_INSTALL_DIR - OUTPUT_STRIP_TRAILING_WHITESPACE - ) -diff --git a/utils/CMakeLists.txt b/utils/CMakeLists.txt -index 93ce1f2a9..9347c2976 100644 ---- a/utils/CMakeLists.txt -+++ b/utils/CMakeLists.txt -@@ -91,7 +91,7 @@ if(ENABLE_OSCAP_UTIL_DOCKER) - - if(NOT PYTHON_SITE_PACKAGES_INSTALL_DIR) - execute_process(COMMAND -- ${OSCAP_DOCKER_PYTHON} -c "from distutils.sysconfig import get_python_lib; print(get_python_lib(False, False, prefix='${CMAKE_INSTALL_PREFIX}'))" -+ ${OSCAP_DOCKER_PYTHON} -c "import sysconfig; print(sysconfig.get_path('purelib'))" - OUTPUT_VARIABLE PYTHON_SITE_PACKAGES_INSTALL_DIR - OUTPUT_STRIP_TRAILING_WHITESPACE - ) --- -2.25.1 - diff --git a/meta-security/recipes-compliance/openscap/openscap_1.3.9.bb b/meta-security/recipes-compliance/openscap/openscap_1.3.9.bb index d956ff1e04..b35ce9f257 100644 --- a/meta-security/recipes-compliance/openscap/openscap_1.3.9.bb +++ b/meta-security/recipes-compliance/openscap/openscap_1.3.9.bb @@ -9,11 +9,9 @@ LICENSE = "LGPL-2.1-only" DEPENDS = "dbus acl bzip2 pkgconfig gconf procps curl libxml2 libxslt libcap swig libpcre xmlsec1" DEPENDS:class-native = "pkgconfig-native swig-native curl-native libxml2-native libxslt-native libcap-native libpcre-native xmlsec1-native" -#Jun 22th, 2023 -SRCREV = "9b3e7563575f7e5b419f8a09999b40f30e3e7c29" -SRC_URI = "git://github.com/OpenSCAP/openscap.git;branch=maint-1.3;protocol=https \ - file://0001-Replace-distutils.sysconfig-with-sysconfig.patch \ - " +#March 18th, 2024 +SRCREV = "0e7f654570971c1acee6dd3f34b17121372d6152" +SRC_URI = "git://github.com/OpenSCAP/openscap.git;branch=maint-1.3;protocol=https " S = "${WORKDIR}/git" diff --git a/meta-security/recipes-core/images/dm-verity-image-initramfs.bb b/meta-security/recipes-core/images/dm-verity-image-initramfs.bb index 78f7b49b27..4256e19ea2 100644 --- a/meta-security/recipes-core/images/dm-verity-image-initramfs.bb +++ b/meta-security/recipes-core/images/dm-verity-image-initramfs.bb @@ -18,6 +18,8 @@ PACKAGE_INSTALL = " \ IMAGE_FEATURES = "" IMAGE_LINGUAS = "" +IMAGE_NAME_SUFFIX ?= "" + # Can we somehow inspect reverse dependencies to avoid these variables? python __anonymous() { verity_image = d.getVar('DM_VERITY_IMAGE') diff --git a/meta-security/recipes-ids/suricata/suricata_7.0.0.bb b/meta-security/recipes-ids/suricata/suricata_7.0.0.bb index a52f081573..a01b3d937e 100644 --- a/meta-security/recipes-ids/suricata/suricata_7.0.0.bb +++ b/meta-security/recipes-ids/suricata/suricata_7.0.0.bb @@ -104,9 +104,9 @@ do_install () { # Remove /var/run as it is created on startup rm -rf ${D}${localstatedir}/run - sed -i -e "s:#!.*$:#!${USRBINPATH}/env ${PYTHON_PN}:g" ${D}${bindir}/suricatasc - sed -i -e "s:#!.*$:#!${USRBINPATH}/env ${PYTHON_PN}:g" ${D}${bindir}/suricatactl - sed -i -e "s:#!.*$:#!${USRBINPATH}/env ${PYTHON_PN}:g" ${D}${libdir}/suricata/python/suricata/sc/suricatasc.py + sed -i -e "s:#!.*$:#!${USRBINPATH}/env python3:g" ${D}${bindir}/suricatasc + sed -i -e "s:#!.*$:#!${USRBINPATH}/env python3:g" ${D}${bindir}/suricatactl + sed -i -e "s:#!.*$:#!${USRBINPATH}/env python3:g" ${D}${libdir}/suricata/python/suricata/sc/suricatasc.py } pkg_postinst_ontarget:${PN} () { diff --git a/meta-security/recipes-scanners/arpwatch/arpwatch_3.3.bb b/meta-security/recipes-scanners/arpwatch/arpwatch_3.3.bb index 7a0a776beb..e547938b20 100644 --- a/meta-security/recipes-scanners/arpwatch/arpwatch_3.3.bb +++ b/meta-security/recipes-scanners/arpwatch/arpwatch_3.3.bb @@ -23,7 +23,7 @@ ARPWATH_REPLY ?= "${ARPWATCH_UID}" PACKAGECONFIG ??= "" -PACKACONFIG[email] = "-with-watcher=email=${APRWATCH_FROM} --with-watchee=email=${ARPWATH_REPLY}, , postfix, postfix postfix-cfg" +PACKAGECONFIG[email] = "-with-watcher=email=${APRWATCH_FROM} --with-watchee=email=${ARPWATH_REPLY}, , postfix, postfix postfix-cfg" CONFIGUREOPTS = " --build=${BUILD_SYS} \ --host=${HOST_SYS} \ @@ -42,6 +42,7 @@ CONFIGUREOPTS = " --build=${BUILD_SYS} \ --infodir=${infodir} \ --mandir=${mandir} \ --srcdir=${S} \ + --with-sendmail=${sbindir}/sendmail \ " do_configure () { @@ -51,7 +52,7 @@ do_configure () { do_install () { install -d ${D}${bindir} install -d ${D}${sbindir} - install -d ${D}${mandir} + install -d ${D}${mandir}/man8 install -d ${D}${sysconfdir} install -d ${D}${sysconfdir}/default install -d ${D}${sysconfdir}/init.d diff --git a/meta-security/recipes-security/cryptmount/cryptmount_6.2.0.bb b/meta-security/recipes-security/cryptmount/cryptmount_6.2.0.bb index d815e1d7b2..d69d88b592 100644 --- a/meta-security/recipes-security/cryptmount/cryptmount_6.2.0.bb +++ b/meta-security/recipes-security/cryptmount/cryptmount_6.2.0.bb @@ -25,7 +25,9 @@ SYSTEMD_SERVICE:${PN} = "cryptmount.service" do_install:append () { if ${@bb.utils.contains('DISTRO_FEATURES','systemd','true','false',d)}; then install -D -m 0644 ${S}/sysinit/cryptmount.service ${D}${systemd_system_unitdir}/cryptmount.service - rm -fr ${D}/usr/lib + if ${@bb.utils.contains('DISTRO_FEATURES','usrmerge','false','true',d)}; then + rm -fr ${D}/usr/lib + fi fi } diff --git a/meta-security/wic/beaglebone-yocto-verity.wks.in b/meta-security/wic/beaglebone-yocto-verity.wks.in index d2923de127..2d332d88bd 100644 --- a/meta-security/wic/beaglebone-yocto-verity.wks.in +++ b/meta-security/wic/beaglebone-yocto-verity.wks.in @@ -12,5 +12,5 @@ # This .wks only works with the dm-verity-img class. part /boot --source bootimg-partition --ondisk mmcblk0 --fstype=vfat --label boot --active --align 4 --fixed-size 32 --sourceparams="loader=u-boot" --use-uuid -part / --source rawcopy --ondisk mmcblk0 --sourceparams="file=${IMGDEPLOYDIR}/${DM_VERITY_IMAGE}-${MACHINE}.${DM_VERITY_IMAGE_TYPE}.verity" +part / --source rawcopy --ondisk mmcblk0 --sourceparams="file=${IMGDEPLOYDIR}/${DM_VERITY_IMAGE}-${MACHINE}${IMAGE_NAME_SUFFIX}.${DM_VERITY_IMAGE_TYPE}.verity" bootloader --append="console=ttyS0,115200" diff --git a/meta-security/wic/systemd-bootdisk-dmverity.wks.in b/meta-security/wic/systemd-bootdisk-dmverity.wks.in index 8466368772..0ac9ccab6a 100644 --- a/meta-security/wic/systemd-bootdisk-dmverity.wks.in +++ b/meta-security/wic/systemd-bootdisk-dmverity.wks.in @@ -10,7 +10,7 @@ part /boot --source bootimg-efi --sourceparams="loader=systemd-boot,initrd=microcode.cpio" --ondisk sda --label msdos --active --align 1024 --use-uuid -part / --source rawcopy --ondisk sda --sourceparams="file=${IMGDEPLOYDIR}/${DM_VERITY_IMAGE}-${MACHINE}.${DM_VERITY_IMAGE_TYPE}.verity" --use-uuid +part / --source rawcopy --ondisk sda --sourceparams="file=${IMGDEPLOYDIR}/${DM_VERITY_IMAGE}-${MACHINE}${IMAGE_NAME_SUFFIX}.${DM_VERITY_IMAGE_TYPE}.verity" --use-uuid part swap --ondisk sda --size 44 --label swap1 --fstype=swap --use-uuid |