Re: [OE-core] [PATCH] insane.bbclass: use HOST_ARCH to check for 32-bit symbols
On Fri, May 24, 2024 at 09:49 GMT, Alexander Kanavin wrote: > I vaguely remember that at some point I ran 'bitbake -e recipe' > against qemux86 machine to study that question, and looked through all > related variables, and couldn't find anything better. But you're > welcome to try that as well. For my specific example, I still believe it is more accurate to use HOST_ARCH and add "i686" to thirtytwo_bit_time_archs. This setup does not generate false positives and also works for qemux86. However, it will not necessarily work for other cases. To make it more general, I think some of the architectures from meta/lib/oe/elf.py can be added to thirtytwo_bit_time_archs. When comparing this with elf.py, I noticed some inconsistency. For example, both "arm" and "armb" are defined, while only "x86" is defined. Shouldn't the latter substituted with "i386", "i486", "i586" and "i686"? Also, shouldn't "mipsarcho32" correspond to the entries in elf.py? I'm unsure which ones exactly though. -- Emil Kronborg -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#199899): https://lists.openembedded.org/g/openembedded-core/message/199899 Mute This Topic: https://lists.openembedded.org/mt/106261505/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [OE-core] [PATCH] insane.bbclass: use HOST_ARCH to check for 32-bit symbols
On Thu, May 23, 2024 at 14:39 GMT, Richard Purdie wrote: > This is not correct, e.g. HOST_ARCH does not always equal "x86" for 32 > bit x86 builds. > > $ MACHINE=qemux86 bitbake -e | grep ^OVERRIDES= -C 2 > # pre-expansion value: > # > "${TARGET_OS}:${TRANSLATED_TARGET_ARCH}:pn-${PN}:layer-${FILE_LAYERNAME}:${MACHINEOVERRIDES}:${DISTROOVERRIDES}:${CLASSOVERRIDE}${LIBCOVERRIDE}:forcevariable" > OVERRIDES="linux:i686:pn-defaultpkgname:layer-config:x86:qemuall:qemux86:poky:poky-altcfg:class-target:libc-glibc:forcevariable" > > i.e. the x86 comes from MACHINEOVERRIDES. There is obviously a problem when building binaries for an SDK and using OVERRIDES for the check. To me, HOST_ARCH looks most correct, but if it misses some cases, it should not be used as a one-to-one replacement for OVERRIDES. Is there some proper way in BitBake to catch all 32-bit architectures? If not, would adding i686, and potentially other missing names, to the list of 32-bit time architectures, i.e thirtytwo_bit_time_archs, be feasible? -- Emil Kronborg -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#199830): https://lists.openembedded.org/g/openembedded-core/message/199830 Mute This Topic: https://lists.openembedded.org/mt/106261505/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core] [PATCH] insane.bbclass: remove leftover variables and comment
The code that used these variable and the comment was introduced in commit b44d32ef41ef ("insane.bbclass: Portions of code were not running, fix this and sync with OE.dev. Also add tests for bad sysroot rpaths in binaries"). Later, in commit 17dae13fabe2 ("insane.bbclass: Fix ELF bitsize comparison"), some of that code was removed again, but not the variables and the comment. Signed-off-by: Emil Kronborg --- meta/classes-global/insane.bbclass | 4 1 file changed, 4 deletions(-) diff --git a/meta/classes-global/insane.bbclass b/meta/classes-global/insane.bbclass index 99736830b9a8..8bbecd3c2d17 100644 --- a/meta/classes-global/insane.bbclass +++ b/meta/classes-global/insane.bbclass @@ -840,10 +840,6 @@ def prepopulate_objdump_p(elf, d): # Walk over all files in a directory and call func def package_qa_walk(warnfuncs, errorfuncs, package, d): -#if this will throw an exception, then fix the dict above -target_os = d.getVar('HOST_OS') -target_arch = d.getVar('HOST_ARCH') - warnings = {} errors = {} elves = {} base-commit: 50f78cb9de68cd4317f34321dfdb06d72ce5d3c6 -- 2.45.1 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#199792): https://lists.openembedded.org/g/openembedded-core/message/199792 Mute This Topic: https://lists.openembedded.org/mt/106261528/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core] [PATCH] insane.bbclass: fix HOST_ variable names
Commit cd25e5544ca3 ("insane: use HOST_ variables, not TARGET_ to determine the cross system") updated the variables themselves, but not their names. To prevent confusion, match the Python variable name to the BitBake variable name. Signed-off-by: Emil Kronborg --- meta/classes-global/insane.bbclass | 12 ++-- 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/meta/classes-global/insane.bbclass b/meta/classes-global/insane.bbclass index 99736830b9a8..d6124ef121a8 100644 --- a/meta/classes-global/insane.bbclass +++ b/meta/classes-global/insane.bbclass @@ -334,12 +334,12 @@ def package_qa_check_arch(path,name,d, elf, messages): if not elf: return -target_os = d.getVar('HOST_OS') -target_arch = d.getVar('HOST_ARCH') +host_os = d.getVar('HOST_OS') +host_arch = d.getVar('HOST_ARCH') provides = d.getVar('PROVIDES') bpn = d.getVar('BPN') -if target_arch == "allarch": +if host_arch == "allarch": pn = d.getVar('PN') oe.qa.add_message(messages, "arch", pn + ": Recipe inherits the allarch class, but has packaged architecture-specific binaries") return @@ -356,12 +356,12 @@ def package_qa_check_arch(path,name,d, elf, messages): #if this will throw an exception, then fix the dict above (machine, osabi, abiversion, littleendian, bits) \ -= oe.elf.machine_dict(d)[target_os][target_arch] += oe.elf.machine_dict(d)[host_os][host_arch] # Check the architecture and endiannes of the binary is_32 = (("virtual/kernel" in provides) or bb.data.inherits_class("module", d)) and \ -(target_os == "linux-gnux32" or target_os == "linux-muslx32" or \ -target_os == "linux-gnu_ilp32" or re.match(r'mips64.*32', d.getVar('DEFAULTTUNE'))) +(host_os == "linux-gnux32" or host_os == "linux-muslx32" or \ +host_os == "linux-gnu_ilp32" or re.match(r'mips64.*32', d.getVar('DEFAULTTUNE'))) is_bpf = (oe.qa.elf_machine_to_string(elf.machine()) == "BPF") if not ((machine == elf.machine()) or is_32 or is_bpf): oe.qa.add_message(messages, "arch", "Architecture did not match (%s, expected %s) in %s" % \ base-commit: 50f78cb9de68cd4317f34321dfdb06d72ce5d3c6 -- 2.45.1 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#199791): https://lists.openembedded.org/g/openembedded-core/message/199791 Mute This Topic: https://lists.openembedded.org/mt/106261526/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core] [PATCH] insane.bbclass: remove skipping of cross-compiled packages
After commit cd25e5544ca3 ("insane: use HOST_ variables, not TARGET_ to determine the cross system"), this check is no longer necessary. The introduction of HOST_ variables ensures architecture compatibility is correctly checked. Signed-off-by: Emil Kronborg --- meta/classes-global/insane.bbclass | 5 - 1 file changed, 5 deletions(-) diff --git a/meta/classes-global/insane.bbclass b/meta/classes-global/insane.bbclass index d6124ef121a8..b9d11d49106e 100644 --- a/meta/classes-global/insane.bbclass +++ b/meta/classes-global/insane.bbclass @@ -344,11 +344,6 @@ def package_qa_check_arch(path,name,d, elf, messages): oe.qa.add_message(messages, "arch", pn + ": Recipe inherits the allarch class, but has packaged architecture-specific binaries") return -# FIXME: Cross package confuse this check, so just skip them -for s in ['cross', 'nativesdk', 'cross-canadian']: -if bb.data.inherits_class(s, d): -return - # avoid following links to /usr/bin (e.g. on udev builds) # we will check the files pointed to anyway... if os.path.islink(path): base-commit: 50f78cb9de68cd4317f34321dfdb06d72ce5d3c6 prerequisite-patch-id: c1ecd83bbd60a912f70347e0333a5f13b967c047 -- 2.45.1 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#199790): https://lists.openembedded.org/g/openembedded-core/message/199790 Mute This Topic: https://lists.openembedded.org/mt/106261519/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core] [PATCH] insane.bbclass: use HOST_ARCH to check for 32-bit symbols
Using OVERRIDES in the check generates false positives in some scenarios, for example when building binaries for an SDK supposed to run on a 64-bit host. Therefore, it is more correct to use HOST_ARCH for the check instead. $ bitbake -c do_package_qa gcc-cross-canadian-arm (...) /usr/local/oe-sdk-hardcoded-buildpath/sysroots/x86_64-oesdk-linux/usr/bin/arm-oe-linux-gnueabi/arm-oe-linux-gnueabi-g++ uses 32-bit api 'localtime' /usr/local/oe-sdk-hardcoded-buildpath/sysroots/x86_64-oesdk-linux/usr/bin/arm-oe-linux-gnueabi/arm-oe-linux-gnueabi-g++ uses 32-bit api 'fcntl' /usr/local/oe-sdk-hardcoded-buildpath/sysroots/x86_64-oesdk-linux/usr/bin/arm-oe-linux-gnueabi/arm-oe-linux-gnueabi-g++ uses 32-bit api 'lstat' /usr/local/oe-sdk-hardcoded-buildpath/sysroots/x86_64-oesdk-linux/usr/bin/arm-oe-linux-gnueabi/arm-oe-linux-gnueabi-g++ uses 32-bit api 'wait4' /usr/local/oe-sdk-hardcoded-buildpath/sysroots/x86_64-oesdk-linux/usr/bin/arm-oe-linux-gnueabi/arm-oe-linux-gnueabi-g++ uses 32-bit api 'gettimeofday' /usr/local/oe-sdk-hardcoded-buildpath/sysroots/x86_64-oesdk-linux/usr/bin/arm-oe-linux-gnueabi/arm-oe-linux-gnueabi-g++ uses 32-bit api 'stat' /usr/local/oe-sdk-hardcoded-buildpath/sysroots/x86_64-oesdk-linux/usr/bin/arm-oe-linux-gnueabi/arm-oe-linux-gnueabi-g++ uses 32-bit api 'fstat' /usr/local/oe-sdk-hardcoded-buildpath/sysroots/x86_64-oesdk-linux/usr/bin/arm-oe-linux-gnueabi/arm-oe-linux-gnueabi-g++ uses 32-bit api 'ioctl' /usr/local/oe-sdk-hardcoded-buildpath/sysroots/x86_64-oesdk-linux/usr/bin/arm-oe-linux-gnueabi/arm-oe-linux-gnueabi-g++ uses 32-bit api 'time' /usr/local/oe-sdk-hardcoded-buildpath/sysroots/x86_64-oesdk-linux/usr/bin/arm-oe-linux-gnueabi/arm-oe-linux-gnueabi-g++ uses 32-bit api 'gmtime' Suppress with INSANE_SKIP = "32bit-time" Signed-off-by: Emil Kronborg --- meta/classes-global/insane.bbclass | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/meta/classes-global/insane.bbclass b/meta/classes-global/insane.bbclass index 99736830b9a8..bd2328601676 100644 --- a/meta/classes-global/insane.bbclass +++ b/meta/classes-global/insane.bbclass @@ -515,8 +515,7 @@ def check_32bit_symbols(path, packagename, d, elf, messages): Check that ELF files do not use any 32 bit time APIs from glibc. """ thirtytwo_bit_time_archs = {'arm','armeb','mipsarcho32','powerpc','x86'} -overrides = set(d.getVar('OVERRIDES').split(':')) -if not (thirtytwo_bit_time_archs & overrides): +if d.getVar('HOST_ARCH') not in thirtytwo_bit_time_archs: return import re base-commit: 50f78cb9de68cd4317f34321dfdb06d72ce5d3c6 -- 2.45.1 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#199789): https://lists.openembedded.org/g/openembedded-core/message/199789 Mute This Topic: https://lists.openembedded.org/mt/106261505/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core] [PATCH] gtk+3: add gtk+ to CVE_PRODUCT
While the plus in GTK+ was dropped in GTK4 and onwards [1], it is still necessary for GTK3. This is also reflected upstream where two versions exist: http://ftp.gnome.org/pub/gnome/sources/gtk+ and http://ftp.gnome.org/pub/gnome/sources/gtk. [1]: https://mail.gnome.org/archives/gtk-devel-list/2019-February/msg0.html Signed-off-by: Emil Kronborg --- meta/recipes-gnome/gtk+/gtk+3_3.24.41.bb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta/recipes-gnome/gtk+/gtk+3_3.24.41.bb b/meta/recipes-gnome/gtk+/gtk+3_3.24.41.bb index 17e90c59f0e0..350181330707 100644 --- a/meta/recipes-gnome/gtk+/gtk+3_3.24.41.bb +++ b/meta/recipes-gnome/gtk+/gtk+3_3.24.41.bb @@ -14,4 +14,4 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=5f30f0716dfdd0d91eb439ebec522ec2 \ file://gdk/gdk.h;endline=25;md5=c920ce39dc88c6f06d3e7c50e08086f2 \ file://tests/testgtk.c;endline=25;md5=cb732daee1d82af7a2bf953cf3cf26f1" -CVE_PRODUCT = "gnome:gtk" +CVE_PRODUCT = "gnome:gtk gtk:gtk\+" base-commit: 3400945ac94c37f335b1e500bdd91e6187ed20b1 -- 2.45.0 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#199231): https://lists.openembedded.org/g/openembedded-core/message/199231 Mute This Topic: https://lists.openembedded.org/mt/106070883/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core] [PATCH v3] at-spi2-core: add at-spi2-atk to CVE_PRODUCT
Commit ad605662f1bc ("at-spi2-core: upgrade 2.44.1 -> 2.46.0") dropped the at-spi2-atk recipe, because it was merged into at-spi2-core upstream [1]. The PROVIDES variable was changed to also include at-spi2-atk, but not CVE_PRODUCT. [1]: https://gitlab.gnome.org/GNOME/at-spi2-core/-/merge_requests/78 Signed-off-by: Emil Kronborg --- Changes in v3: - Actually append to CVE_PRODUCT instead of setting it to at-spi2-atk. Changes in v2: - Add at-spi2-atk via CVE_PRODUCT += to also include at-spi2-core. - Add a commit message to make the patchtest bot happy. - Rewrite the subject line to show that at-spi2-atk is appended. meta/recipes-support/atk/at-spi2-core_2.52.0.bb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/meta/recipes-support/atk/at-spi2-core_2.52.0.bb b/meta/recipes-support/atk/at-spi2-core_2.52.0.bb index cf221e038927..913b408403eb 100644 --- a/meta/recipes-support/atk/at-spi2-core_2.52.0.bb +++ b/meta/recipes-support/atk/at-spi2-core_2.52.0.bb @@ -7,6 +7,8 @@ BUGTRACKER = "http://bugzilla.gnome.org/; LICENSE = "LGPL-2.1-or-later" LIC_FILES_CHKSUM = "file://COPYING;md5=4fbd65380cdd255951079008b364516c" +CVE_PRODUCT += "at-spi2-atk" + MAJ_VER = "${@oe.utils.trim_version("${PV}", 2)}" SRC_URI = "${GNOME_MIRROR}/${BPN}/${MAJ_VER}/${BPN}-${PV}.tar.xz" base-commit: 946086abf5ac5172258ddb27af9c1c615258f62f -- 2.44.0 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#198503): https://lists.openembedded.org/g/openembedded-core/message/198503 Mute This Topic: https://lists.openembedded.org/mt/105594022/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core] [PATCH v2] at-spi2-core: add at-spi2-atk to CVE_PRODUCT
Commit ad605662f1bc ("at-spi2-core: upgrade 2.44.1 -> 2.46.0") dropped the at-spi2-atk recipe, because it was merged into at-spi2-core upstream [1]. The PROVIDES variable was changed to also include at-spi2-atk, but not CVE_PRODUCT. [1]: https://gitlab.gnome.org/GNOME/at-spi2-core/-/merge_requests/78 Signed-off-by: Emil Kronborg --- meta/recipes-support/atk/at-spi2-core_2.52.0.bb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/meta/recipes-support/atk/at-spi2-core_2.52.0.bb b/meta/recipes-support/atk/at-spi2-core_2.52.0.bb index cf221e038927..2ab42ba13f50 100644 --- a/meta/recipes-support/atk/at-spi2-core_2.52.0.bb +++ b/meta/recipes-support/atk/at-spi2-core_2.52.0.bb @@ -7,6 +7,8 @@ BUGTRACKER = "http://bugzilla.gnome.org/; LICENSE = "LGPL-2.1-or-later" LIC_FILES_CHKSUM = "file://COPYING;md5=4fbd65380cdd255951079008b364516c" +CVE_PRODUCT = "at-spi2-atk" + MAJ_VER = "${@oe.utils.trim_version("${PV}", 2)}" SRC_URI = "${GNOME_MIRROR}/${BPN}/${MAJ_VER}/${BPN}-${PV}.tar.xz" base-commit: 946086abf5ac5172258ddb27af9c1c615258f62f -- 2.44.0 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#198502): https://lists.openembedded.org/g/openembedded-core/message/198502 Mute This Topic: https://lists.openembedded.org/mt/105593844/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [OE-core] [PATCH] at-spi2-core: set CVE_PRODUCT
On Wed, Apr 17, 2024 at 15:49 +, Ross Burton wrote: > Don’t you mean +=? We care about issues against at-spi2-core too, surely. > > Ross I was unable to find any (previous) CVEs for at-spi2-core, but I think you are right. Also, at-spi2-atk was merged into at-spi2-core last year [1], so matching both should be correct. I will send a v2 with this fix and a commit message as well, so the patchtest bot becomes happy. [1]: https://gitlab.gnome.org/GNOME/at-spi2-core/-/merge_requests/78 -- Emil Kronborg -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#198501): https://lists.openembedded.org/g/openembedded-core/message/198501 Mute This Topic: https://lists.openembedded.org/mt/105578054/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core] [PATCH] at-spi2-core: set CVE_PRODUCT
Signed-off-by: Emil Kronborg --- meta/recipes-support/atk/at-spi2-core_2.52.0.bb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/meta/recipes-support/atk/at-spi2-core_2.52.0.bb b/meta/recipes-support/atk/at-spi2-core_2.52.0.bb index cf221e038927..2ab42ba13f50 100644 --- a/meta/recipes-support/atk/at-spi2-core_2.52.0.bb +++ b/meta/recipes-support/atk/at-spi2-core_2.52.0.bb @@ -7,6 +7,8 @@ BUGTRACKER = "http://bugzilla.gnome.org/; LICENSE = "LGPL-2.1-or-later" LIC_FILES_CHKSUM = "file://COPYING;md5=4fbd65380cdd255951079008b364516c" +CVE_PRODUCT = "at-spi2-atk" + MAJ_VER = "${@oe.utils.trim_version("${PV}", 2)}" SRC_URI = "${GNOME_MIRROR}/${BPN}/${MAJ_VER}/${BPN}-${PV}.tar.xz" base-commit: 946086abf5ac5172258ddb27af9c1c615258f62f -- 2.44.0 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#198467): https://lists.openembedded.org/g/openembedded-core/message/198467 Mute This Topic: https://lists.openembedded.org/mt/105578054/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [OE-core] [PATCH v2] python3-pytest: add CVE_PRODUCT
On Thu, Mar 21, 2024 at 17:10 +, Ross Burton wrote: > I can only find two CVEs with the CPE pytest:py and either of them are > actually related to the pytest package: > > https://nvd.nist.gov/vuln/detail/CVE-2020-29651 > https://nvd.nist.gov/vuln/detail/CVE-2022-42969 > > These issues relate to https://github.com/pytest-dev/py which is not pytest. You are right. This patch should not be pulled. -- Emil Kronborg -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#197457): https://lists.openembedded.org/g/openembedded-core/message/197457 Mute This Topic: https://lists.openembedded.org/mt/105047705/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [OE-core] [PATCH v2] python3-pytest: add CVE_PRODUCT
On Thu, Mar 21, 2024 at 12:13 +, Richard Purdie wrote: > I worry this is a misfiled CPE rather than general statement that > they'd always use this for pytest CVEs. We might want to talk to them > about tweaking it to be consistent? I'm certainly unsure about taking > this patch as it might mask future issues? I made a mistake. This CPE belongs to the py project by pytest [1]. The vendor name being http://pytest.org tricked me. Searching for pytest in the NIST NVD database yields a single CPE: pytest:py, so I think it is fine to keep it as is, even though a CPE might appear as pytest:pytest instead of python:pytest. [1]: https://github.com/pytest-dev/py -- Emil Kronborg -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#197456): https://lists.openembedded.org/g/openembedded-core/message/197456 Mute This Topic: https://lists.openembedded.org/mt/105047705/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [OE-core] [PATCH v2] pypi.bbclass: remove vendor from CVE_PRODUCT
On Thu, Mar 21, 2024 at 17:16 +, Ross Burton wrote: > Have you got comparison reports for a world run before and after this change > so we can see what the difference is? No. After setting CVE_PRODUCT for around 5 python-* recipes, I noticed a pattern, which led me to pypi.bbclass. Here, I saw that the product is hardcoded to 'python', and thought it would be easier (and more correct) to fix it in a single place instead of multiple recipes. -- Emil Kronborg -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#197455): https://lists.openembedded.org/g/openembedded-core/message/197455 Mute This Topic: https://lists.openembedded.org/mt/105047700/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [OE-core] [PATCH v2] file: add CVE_PRODUCT
On Thu, Mar 21, 2024 at 17:15 +, Ross Burton wrote: > There’s also file:file, for example > https://nvd.nist.gov/vuln/detail/CVE-2007-2799. Hm, clicking on "Show Matching CPE(s)" gives no matches, which a search also confirms. Searching for file_project:file yield results with identical versioning to the file project [1], and the vendor website also matches. My guess is that NIST changed the CPE name at some point, but I am unsure if or how I can confirm that. [1]: https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3=cpe%3A2.3%3Aa%3Afile_project%3Afile -- Emil Kronborg -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#197454): https://lists.openembedded.org/g/openembedded-core/message/197454 Mute This Topic: https://lists.openembedded.org/mt/105047692/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core] [PATCH v2] python3-pytest: add CVE_PRODUCT
For some reason, the CVE product is just called py and not pytest in the NIST NVD database. Since the database only accept keywords with at least 3 characters, the CVE vendor must also be specified. Signed-off-by: Emil Kronborg --- Changes in v2: - I forgot to sign the first version. meta/recipes-devtools/python/python3-pytest_8.0.2.bb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/meta/recipes-devtools/python/python3-pytest_8.0.2.bb b/meta/recipes-devtools/python/python3-pytest_8.0.2.bb index 57e979e909c3..080b89ebdd5e 100644 --- a/meta/recipes-devtools/python/python3-pytest_8.0.2.bb +++ b/meta/recipes-devtools/python/python3-pytest_8.0.2.bb @@ -5,6 +5,8 @@ DESCRIPTION = "The pytest framework makes it easy to write small tests, yet scal LICENSE = "MIT" LIC_FILES_CHKSUM = "file://LICENSE;md5=bd27e41b6550fe0fc45356d1d81ee37c" +CVE_PRODUCT = "pytest:py" + SRC_URI[sha256sum] = "d4051d623a2e0b7e51960ba963193b09ce6daeb9759a451844a21e4ddedfc1bd" DEPENDS += "python3-setuptools-scm-native" -- 2.44.0 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#197369): https://lists.openembedded.org/g/openembedded-core/message/197369 Mute This Topic: https://lists.openembedded.org/mt/105047705/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core] [PATCH v2] pypi.bbclass: remove vendor from CVE_PRODUCT
By specifying the CVE vendor as python, some CVEs are not found. For instance, the CVE_PRODUCT for python3-pyopenssl becomes python:pyopenssl, which yields no matches in the NIST NVD database because the correct CVE vendor is pyopenssl. Generally, CVE_PRODUCT ?= ${PYPI_PACKAGE}:${PYPI_PACKAGE} captures most cases. However, some package names, such as python3-pytest, are unrelated to the correct CVE product. In this case, the correct CVE vendor is pytest, but the CVE product is py, resulting in no CVEs being found. Therefore, not setting the CVE vendor is the most correct option. Signed-off-by: Emil Kronborg --- Changes in v2: - I forgot to sign the first version. meta/classes-recipe/pypi.bbclass | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta/classes-recipe/pypi.bbclass b/meta/classes-recipe/pypi.bbclass index b8c18ccf395a..64ef9148d27e 100644 --- a/meta/classes-recipe/pypi.bbclass +++ b/meta/classes-recipe/pypi.bbclass @@ -35,4 +35,4 @@ UPSTREAM_CHECK_PYPI_PACKAGE ?= "${@d.getVar('PYPI_PACKAGE').replace('_', '-')}" UPSTREAM_CHECK_URI ?= "https://pypi.org/project/${UPSTREAM_CHECK_PYPI_PACKAGE}/; UPSTREAM_CHECK_REGEX ?= "/${UPSTREAM_CHECK_PYPI_PACKAGE}/(?P(\d+[\.\-_]*)+)/" -CVE_PRODUCT ?= "python:${PYPI_PACKAGE}" +CVE_PRODUCT ?= "${PYPI_PACKAGE}" -- 2.44.0 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#197368): https://lists.openembedded.org/g/openembedded-core/message/197368 Mute This Topic: https://lists.openembedded.org/mt/105047700/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core] [PATCH v2] file: add CVE_PRODUCT
Having only file as the CVE product is too generic. What we actually want is file from file_project to match the correct CVE(s). Signed-off-by: Emil Kronborg --- Changes in v2: - I forgot to sign the first version. meta/recipes-devtools/file/file_5.45.bb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/meta/recipes-devtools/file/file_5.45.bb b/meta/recipes-devtools/file/file_5.45.bb index fa8dc576dccd..0144328b701c 100644 --- a/meta/recipes-devtools/file/file_5.45.bb +++ b/meta/recipes-devtools/file/file_5.45.bb @@ -8,6 +8,8 @@ SECTION = "console/utils" LICENSE = "BSD-2-Clause" LIC_FILES_CHKSUM = "file://COPYING;beginline=2;md5=0251eaec1188b20d9a72c502ecfdda1b" +CVE_PRODUCT = "file_project:file" + DEPENDS = "file-replacement-native" DEPENDS:class-native = "bzip2-replacement-native" -- 2.44.0 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#197367): https://lists.openembedded.org/g/openembedded-core/message/197367 Mute This Topic: https://lists.openembedded.org/mt/105047692/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core] [PATCH] python3-pytest: add CVE_PRODUCT
For some reason, the CVE product is just called py and not pytest in the NIST NVD database. Since the database only accept keywords with at least 3 characters, the CVE vendor must also be specified. --- meta/recipes-devtools/python/python3-pytest_8.0.2.bb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/meta/recipes-devtools/python/python3-pytest_8.0.2.bb b/meta/recipes-devtools/python/python3-pytest_8.0.2.bb index 57e979e909c3..080b89ebdd5e 100644 --- a/meta/recipes-devtools/python/python3-pytest_8.0.2.bb +++ b/meta/recipes-devtools/python/python3-pytest_8.0.2.bb @@ -5,6 +5,8 @@ DESCRIPTION = "The pytest framework makes it easy to write small tests, yet scal LICENSE = "MIT" LIC_FILES_CHKSUM = "file://LICENSE;md5=bd27e41b6550fe0fc45356d1d81ee37c" +CVE_PRODUCT = "pytest:py" + SRC_URI[sha256sum] = "d4051d623a2e0b7e51960ba963193b09ce6daeb9759a451844a21e4ddedfc1bd" DEPENDS += "python3-setuptools-scm-native" -- 2.44.0 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#197363): https://lists.openembedded.org/g/openembedded-core/message/197363 Mute This Topic: https://lists.openembedded.org/mt/105046969/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core] [PATCH] file: add CVE_PRODUCT
Having only file as the CVE product is too generic. What we actually want is file from file_project to match the correct CVE(s). --- meta/recipes-devtools/file/file_5.45.bb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/meta/recipes-devtools/file/file_5.45.bb b/meta/recipes-devtools/file/file_5.45.bb index fa8dc576dccd..0144328b701c 100644 --- a/meta/recipes-devtools/file/file_5.45.bb +++ b/meta/recipes-devtools/file/file_5.45.bb @@ -8,6 +8,8 @@ SECTION = "console/utils" LICENSE = "BSD-2-Clause" LIC_FILES_CHKSUM = "file://COPYING;beginline=2;md5=0251eaec1188b20d9a72c502ecfdda1b" +CVE_PRODUCT = "file_project:file" + DEPENDS = "file-replacement-native" DEPENDS:class-native = "bzip2-replacement-native" -- 2.44.0 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#197362): https://lists.openembedded.org/g/openembedded-core/message/197362 Mute This Topic: https://lists.openembedded.org/mt/105046964/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core] [PATCH] pypi.bbclass: remove vendor from CVE_PRODUCT
By specifying the CVE vendor as python, some CVEs are not found. For instance, the CVE_PRODUCT for python3-pyopenssl becomes python:pyopenssl, which yields no matches in the NIST NVD database because the correct CVE vendor is pyopenssl. Generally, CVE_PRODUCT ?= ${PYPI_PACKAGE}:${PYPI_PACKAGE} captures most cases. However, some package names, such as python3-pytest, are unrelated to the correct CVE product. In this case, the correct CVE vendor is pytest, but the CVE product is py, resulting in no CVEs being found. Therefore, not setting the CVE vendor is the most correct option. --- meta/classes-recipe/pypi.bbclass | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta/classes-recipe/pypi.bbclass b/meta/classes-recipe/pypi.bbclass index b8c18ccf395a..64ef9148d27e 100644 --- a/meta/classes-recipe/pypi.bbclass +++ b/meta/classes-recipe/pypi.bbclass @@ -35,4 +35,4 @@ UPSTREAM_CHECK_PYPI_PACKAGE ?= "${@d.getVar('PYPI_PACKAGE').replace('_', '-')}" UPSTREAM_CHECK_URI ?= "https://pypi.org/project/${UPSTREAM_CHECK_PYPI_PACKAGE}/; UPSTREAM_CHECK_REGEX ?= "/${UPSTREAM_CHECK_PYPI_PACKAGE}/(?P(\d+[\.\-_]*)+)/" -CVE_PRODUCT ?= "python:${PYPI_PACKAGE}" +CVE_PRODUCT ?= "${PYPI_PACKAGE}" -- 2.44.0 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#197361): https://lists.openembedded.org/g/openembedded-core/message/197361 Mute This Topic: https://lists.openembedded.org/mt/105046954/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [OE-core] [PATCH] openssh: enable sshd.service by default
On Fri, Mar 15, 2024 at 16:09 +, Ross Burton wrote: > On 7 Mar 2024, at 20:08, Emil Kronborg via lists.openembedded.org > wrote: > > > > Socket activation is prone to DoS (denial of service) because too many > > connections will permanently deactivate sshd.socket [1]. Also, since > > socket units do not allow setting Restart, accepting new connections can > > fail due to, for example, OOM (out of memory) [2]. Therefore, it seems > > more sensible to use sshd.service by default and let sshd.socket be an > > optional choice. > > Counter-argument: this is why it’s a PACKAGECONFIG, and socket activation has > the advantage that it makes boots faster. If DoS is a concern, then the > distro can switch trivially to service activated. > > Ross Those are fair arguments. What do you think about the situation where sshd.socket becomes disabled, and you are unable to connect? I can see this being a problem for remote boards or boards that are not easily accessible. FWIW, socket activation is disabled by default on Arch Linux and Fedora. I don't have a box running Debian (or any other distros) right now to check those as well. -- Emil Kronborg -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#197312): https://lists.openembedded.org/g/openembedded-core/message/197312 Mute This Topic: https://lists.openembedded.org/mt/104795507/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core] [PATCH] openssh: enable sshd.service by default
Socket activation is prone to DoS (denial of service) because too many connections will permanently deactivate sshd.socket [1]. Also, since socket units do not allow setting Restart, accepting new connections can fail due to, for example, OOM (out of memory) [2]. Therefore, it seems more sensible to use sshd.service by default and let sshd.socket be an optional choice. [1] https://bugs.archlinux.org/task/62248 [2] https://github.com/systemd/systemd/issues/11553 Signed-off-by: Emil Kronborg --- meta/recipes-connectivity/openssh/openssh_9.6p1.bb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta/recipes-connectivity/openssh/openssh_9.6p1.bb b/meta/recipes-connectivity/openssh/openssh_9.6p1.bb index 1fd36a266fde..a21570ed9382 100644 --- a/meta/recipes-connectivity/openssh/openssh_9.6p1.bb +++ b/meta/recipes-connectivity/openssh/openssh_9.6p1.bb @@ -57,7 +57,7 @@ DEPENDS += "${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'systemd', '', d) # systemd-sshd-socket-mode means installing sshd.socket # and systemd-sshd-service-mode corresponding to sshd.service -PACKAGECONFIG ??= "systemd-sshd-socket-mode" +PACKAGECONFIG ??= "systemd-sshd-service-mode" PACKAGECONFIG[kerberos] = "--with-kerberos5,--without-kerberos5,krb5" PACKAGECONFIG[ldns] = "--with-ldns,--without-ldns,ldns" PACKAGECONFIG[libedit] = "--with-libedit,--without-libedit,libedit" -- 2.44.0 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#196823): https://lists.openembedded.org/g/openembedded-core/message/196823 Mute This Topic: https://lists.openembedded.org/mt/104795507/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core] [PATCH] bluez5: remove configuration files from install task
Since be0e796299b0 ("build: ship all config files with --enable-datafiles") in bluez, installing input.conf and network.conf has been redundant, as the bluez5 recipe already includes --enable-datafiles. Signed-off-by: Emil Kronborg --- meta/recipes-connectivity/bluez5/bluez5.inc | 8 1 file changed, 8 deletions(-) diff --git a/meta/recipes-connectivity/bluez5/bluez5.inc b/meta/recipes-connectivity/bluez5/bluez5.inc index e10158a6e5ea..a31d7076ba80 100644 --- a/meta/recipes-connectivity/bluez5/bluez5.inc +++ b/meta/recipes-connectivity/bluez5/bluez5.inc @@ -87,14 +87,6 @@ do_install:append() { install -d ${D}${INIT_D_DIR} install -m 0755 ${WORKDIR}/init ${D}${INIT_D_DIR}/bluetooth - install -d ${D}${sysconfdir}/bluetooth/ - if [ -f ${S}/profiles/network/network.conf ]; then - install -m 0644 ${S}/profiles/network/network.conf ${D}/${sysconfdir}/bluetooth/ - fi - if [ -f ${S}/profiles/input/input.conf ]; then - install -m 0644 ${S}/profiles/input/input.conf ${D}/${sysconfdir}/bluetooth/ - fi - if [ -f ${D}/${sysconfdir}/init.d/bluetooth ]; then sed -i -e 's#@LIBEXECDIR@#${libexecdir}#g' ${D}/${sysconfdir}/init.d/bluetooth fi -- 2.43.2 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#196040): https://lists.openembedded.org/g/openembedded-core/message/196040 Mute This Topic: https://lists.openembedded.org/mt/104515519/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-