subtree updates
- Remove systemd patches for object-manager due to upstream fix.
meta-arm: 3b7347cd67..d5f132b199:
Abdellatif El Khlifi (2):
kas: corstone1000: set branches to langdale
arm-bsp/documentation: corstone1000: 2022.11.10 RC: update the user guide
Anton Antonov (1):
arm-bsp/fvp-base: Enable virtio-rng support and unset preferred 5.15 kernel
Emekcan (2):
arm-bsp/trusted-services: add checks for null attributes in smm gateway
arm-bsp/trusted-services: Fix GetNextVariable max_name_len in smm gateway
Jon Mason (3):
arm/sbsa-acs: update to the latest version
arm/hafnium: cleanup the patches
arm/gn: update to the latest SHA
Luca Fancellu (1):
arm,arm-bsp/recipes-kernel: don't use PN in arm-ffa-transport.inc
Peter Hoyes (5):
arm/fvp: Join cli arguments in verbose logging
arm/lib: Factor out asyncio in FVPRunner
arm/lib: Decouple console parsing from the FVPRunner
arm/oeqa: Log the FVP output in OEFVPSSHTarget
runfvp: Fix verbose output when using --console
Ross Burton (1):
arm/linux-arm64-ack: fix buildpaths in the perf Python module
Rui Miguel Silva (3):
arm/trusted-services: check before applying patches
arm-bsp/trusted-services: psa test setup corstone1000
arm-bsp/trusted-firmware-m: adjust ps assets for corstone1000
Vishnu Banavath (2):
arm-bsp/documentation: corstone1000: 2022.11.10 RC: update the release notes
arm-bsp/documentation: corstone1000: 2022.11.10 RC: update the change log
meta-raspberrypi: a305f4804b..93dadf336c:
Andrei Gherzan (2):
ci: Bump actions/checkout to v3
ci: Fix dco-check job with newer git versions
Martin Jansa (1):
raspberrypi4-64: drop DEFAULTTUNE assignment
poky: 482c493cf6..44bb88cc86:
Alex Kiernan (1):
rust: update 1.64.0 -> 1.65.0
Alexander Kanavin (74):
man-pages: upgrade 5.13 -> 6.01
piglit: upgrade to latest revision
lsof: upgrade 4.96.3 -> 4.96.4
ffmpeg: upgrade 5.1.1 -> 5.1.2
ccache: upgrade 4.6.3 -> 4.7.2
python3-pip: upgrade 22.2.2 -> 22.3
ltp: upgrade 20220527 -> 20220930
alsa-utils: upgrade 1.2.7 -> 1.2.8
alsa-ucm-conf: upgrade 1.2.7.2 -> 1.2.8
libbsd: upgrade 0.11.6 -> 0.11.7
libunistring: upgrade 1.0 -> 1.1
puzzles: upgrade to latest revision
libsoup: upgrade 3.2.0 -> 3.2.1
linux-firmware: upgrade 20220913 -> 20221012
python3-git: upgrade 3.1.28 -> 3.1.29
xwayland: upgrade 22.1.3 -> 22.1.4
strace: upgrade 5.19 -> 6.0
python3-dtschema: upgrade 2022.8.3 -> 2022.9
fontconfig: upgrade 2.14.0 -> 2.14.1
python3-setuptools: upgrade 65.0.2 -> 65.5.0
taglib: upgrade 1.12 -> 1.13
nghttp2: upgrade 1.49.0 -> 1.50.0
python3-wheel: upgrade 0.37.1 -> 0.38.0
libffi: upgrade 3.4.2 -> 3.4.4
libical: upgrade 3.0.15 -> 3.0.16
mtd-utils: upgrade 2.1.4 -> 2.1.5
repo: upgrade 2.29.3 -> 2.29.5
libidn2: upgrade 2.3.3 -> 2.3.4
makedepend: upgrade 1.0.6 -> 1.0.7
diffoscope: upgrade 221 -> 224
mmc-utils: upgrade to latest revision
libsoup-2.4: upgrade 2.74.2 -> 2.74.3
gdk-pixbuf: upgrade 2.42.9 -> 2.42.10
harfbuzz: upgrade 5.3.0 -> 5.3.1
netbase: upgrade 6.3 -> 6.4
mpg123: upgrade 1.30.2 -> 1.31.1
sudo: upgrade 1.9.11p3 -> 1.9.12
alsa-lib: upgrade 1.2.7.2 -> 1.2.8
pango: upgrade 1.50.10 -> 1.50.11
pixman: upgrade 0.40.0 -> 0.42.2
vulkan: upgrade 1.3.224.1 -> 1.3.231.1
gstreamer1.0: upgrade 1.20.3 -> 1.20.4
shaderc: upgrade 2022.2 -> 2022.3
selftest: add a copy of previous mtd-utils version to meta-selftest
python3: correctly adjust include paths in sysconfigdata
vala: install vapigen-wrapper into /usr/bin/crosscripts and stage only that
sanity.bbclass: do not check for presence of distutils
pango: replace a recipe fix with an upstream submitted patch
libpciaccess: update 0.16 -> 0.17
libxinerama: update 1.1.4 -> 1.1.5
libxkbfile: update 1.1.0 -> 1.1.1
libxmu: update 1.1.3 -> 1.1.4
libxrender: update 0.9.10 -> 0.9.11
libxshmfence: update 1.3 -> 1.3.1
libxtst: update 1.2.3 -> 1.2.4
libxxf86vm: update 1.1.4 -> 1.1.5
xcb-util: update to latest revisions
xf86-input-vmmouse: update 13.1.0 -> 13.2.0
gnomebase.bbclass: return the whole version for tarball directory if it is a number
adwaita-icon-theme: update 42.0 -> 43
libepoxy: convert to git
libepoxy: update 1.5.9 -> 1.5.10
rgb: update 1.0.6 -> 1.1.0
meson: update 0.63.3 -> 0.64.0
systemd: update 251.4 -> 251.8
libxext: update 1.3.4 -> 1.3.5
gettext: update 0.21 -> 0.21.1
glib-2.0: update 2.72.3 -> 2.74.1
glib-networking: update 2.72.2 -> 2.74.0
readline: update 8.1.2 -> 8.2
llvm: update 15.0.1 -> 15.0.4
make: update 4.3 -> 4.4
bash: update 5.1.16 -> 5.2.9
mesa: do not rely on native llvm-config in target sysroot
Atanas Bunchev (1):
qemu.rst: audio: reference to Command-Line options
Benjamin Szőke (1):
image_types: Add 7-Zip support in conversion types and commands
Changhyeok Bae (1):
repo: upgrade 2.29.5 -> 2.29.9
Chase Qi (1):
libc-test: add libc testsuite for musl
Christoph Lauer (1):
populate_sdk_base: add zip options
David Bagonyi (1):
gpgme: Allow setuptools3-base to be excluded from the inherit list
Diego Sueiro (1):
kernel.bbclass: Include randstruct seed assets in STAGING_KERNEL_BUILDDIR
Etienne Cordonnier (1):
mirrors.bbclass: use shallow tarball for nativesdk-binutils
Jordan Crouse (2):
spirv-tools: Correctly set the prefix in exported cmake packages
vulkan-loader: Allow headless targets to build the loader
Jose Quaresma (3):
sstatesig: skip the rm_work task signature
rm_work: exclude the SSTATETASKS from the rm_work tasks sinature
sstate: Allow optimisation of do_deploy_archives task dependencies
Joshua Watt (2):
classes: create-spdx: Move to version specific class
scripts: convert-overrides: Allow command-line customizations
Kai Kang (1):
libuv: fixup SRC_URI
Konrad Weihmann (1):
create-spdx: default share_src for shared sources
Lee Chee Yang (1):
migration guides: add release notes for 4.0.5
Leon Anavi (2):
get_module_deps3.py: Check attribute '__file__'
python3-manifest.json: Fix re in core
Mark Asselstine (2):
bitbake: data: drop unused __expand_var_regexp__ and __expand_python_regexp__
bitbake: data_smart: allow python snippets to include a dictionary
Markus Volk (4):
webkitgtk: use libsoup-3.0 by default
epiphany: use libsoup-3.0 by default
gstreamer1.0-plugins-good: use libsoup-3.0 by default
libinput: upgrade 1.19.4 -> 1.21.0
Martin Jansa (1):
cargo.bbclass: avoid calling which ${RUSTC} with undefined ${RUSTC}
Michael Opdenacker (10):
ref-manual: terms.rst: add SBOM and SPDX terms
ref-manual: variables.rst: document spdx-create class variables
dev-manual: common-tasks.rst: add section about SPDX / SBOM generation
ref-manual: classes.rst: expand documentation of create-spdx class
ref-manual: terms.rst: add reference to new SBOM/SPDX section in dev manual
manuals: document "mime-xdg" class and MIME_XDG_PACKAGES
manuals: add shortcut for Wikipedia links
ref-manual/variables.rst: expand BB_NUMBER_THREADS description
ref-manual/variables.rst: expand PARALLEL_MAKE description
release-notes: use oe_git and yocto_git macros
Nathan Rossi (4):
oeqa/selftest/lic_checksum: Cleanup changes to emptytest include
oeqa/selftest/minidebuginfo: Create selftest for minidebuginfo
glibc-locale: Do not INHIBIT_DEFAULT_DEPS
package: Fix handling of minidebuginfo with newer binutils
Niko Mauno (1):
systemd: Consider PACKAGECONFIG in RRECOMMENDS
Paulo Neves (1):
manuals: remove xterm requirements
Pavel Zhukov (1):
bitbake: gitsm: Fix regression in gitsm submodule path parsing
Peter Kjellerstedt (1):
pango: Make it build with ptest disabled
Peter Marko (2):
systemd: add group render to udev package
meta-selftest/staticids: add render group for systemd
Quentin Schulz (3):
docs: ref-manual: classes: fix section name for github-releases
docs: ref-manual: classes: add missing closing parenthesis
docs: poky.yaml.in: remove pylint3 from Ubuntu/Debian host dependencies
Richard Purdie (7):
bitbake.conf: Drop export of SOURCE_DATE_EPOCH_FALLBACK
gcc-shared-source: Fix source date epoch handling
gcc-source: Fix gengtypes race
gcc-source: Drop gengtype manipulation
gcc-source: Ensure deploy_source_date_epoch sstate hash doesn't change
sanity: Drop data finalize call
bitbake: data/data_smart/build: Clean up datastore finalize/update_data references
Robert Yang (1):
bitbake: gitsm.py: process_submodules(): Set nobranch=1 for url
Ross Burton (19):
insane: add codeload.github.com to src-uri-bad check
populate_sdk_ext: use ConfigParser instead of SafeConfigParser
stress-ng: improve makefile use
linux-firmware: don't put the firmware into the sysroot
oeqa/qemurunner: update exception class for QMP API changes
oeqa/core/decorator: add decorators to skip based on HOST_ARCH
oeqa/selftest/buildoptions: skip test_read_only_image on qemuarm64
oeqa/selftest/efibootpartition: improve test
oeqa/selftest/imagefeatures: remove hardcoded MACHINE in test_image_gen_debugfs
oeqa/selftest/imagefeatures: don't use wic images in test_hypervisor_fmts
oeqa/selftest/imagefeatures: set a .wks in test_fs_types
oeqa/selftest/overlayfs: overlayfs: skip x86-specific tests
oeqa/selftest/package: generalise test_gdb_hardlink_debug()
oeqa/selftest/package: improve test_preserve_ownership
oeqa/selftest/runqemu: don't hardcode qemux86-64
oeqa/selftest/runtime_test: only run the virgl tests on qemux86-64
oeqa/selftest/wic: skip more tests on aarch64
oeqa/selftest/wic: use skipIfNotArch instead of custom decorator
classes/testexport: move to classes-recipe
Sergei Zhmylev (1):
wic: make ext2/3/4 images reproducible
Tim Orling (4):
python3-typing-extensions: upgrade 4.3.0 -> 4.4.0
bitbake: toaster: fixtures/README: django 1.8 -> 3.2
bitbake: toaster: fixtures/gen_fixtures.py: update branches
bitbake: toaster: Add refreshed oe-core and poky fixtures
Ulrich Ölmann (1):
dev-manual: common-tasks.rst: fix typos
Wang Mingyu (33):
bind: upgrade 9.18.7 -> 9.18.8
libedit: upgrade 20210910-3.1 -> 20221030-3.1
mtools: upgrade 4.0.41 -> 4.0.42
diffstat: upgrade 1.64 -> 1.65
inetutils: upgrade 2.3 -> 2.4
orc: upgrade 0.4.32 -> 0.4.33
socat: upgrade 1.7.4.3 -> 1.7.4.4
libxcrypt: upgrade 4.4.28 -> 4.4.30
python3-babel: upgrade 2.10.3 -> 2.11.0
python3-hatch-fancy-pypi-readme: upgrade 22.7.0 -> 22.8.0
python3-hatchling upgrade: 1.11.0 -> 1.11.1
gi-docgen: upgrade 2022.1 -> 2022.2
libdrm: upgrade 2.4.113 -> 2.4.114
mmc-utils: upgrade to latest revision
mobile-broadband-provider-info: upgrade 20220725 -> 20221107
libsdl2: upgrade 2.24.1 -> 2.24.2
mesa: upgrade 22.2.2 -> 22.2.3
python3-dtschema: upgrade 2022.9 -> 2022.11
python3-flit-core: upgrade 3.7.1 -> 3.8.0
python3-pip: update 22.3 -> 22.3.1
python3-psutil: upgrade 5.9.3 -> 5.9.4
python3-setuptools: upgrade 65.5.0 -> 65.5.1
python3-sphinx-rtd-theme: upgrade 1.1.0 -> 1.1.1
python3-subunit: upgrade 1.4.0 -> 1.4.1
python3-wheel: upgrade 0.38.0 -> 0.38.4
sed: update 4.8 -> 4.9
sudo: upgrade 1.9.12 -> 1.9.12p1
sysstat: upgrade 12.6.0 -> 12.6.1
babeltrace: upgrade 1.5.8 -> 1.5.11
iso-codes: upgrade 4.11.0 -> 4.12.0
libsoup: upgrade 3.2.1 -> 3.2.2
wayland-protocols: upgrade 1.27 -> 1.28
xwayland: upgrade 22.1.4 -> 22.1.5
zhengruoqin (5):
python3-jsonschema: upgrade 4.16.0 -> 4.17.0
python3-pyrsistent: upgrade 0.18.1 -> 0.19.2
python3-numpy: upgrade 1.23.3 -> 1.23.4
python3-sphinx-rtd-theme: upgrade 1.0.0 -> 1.1.0
python3-pbr: upgrade 5.10.0 -> 5.11.0
meta-openembedded: 6ebff843cc..d04444509a:
Armin Kuster (1):
meta-oe][PATCH] gst-editing-services: fix typo in LICENSE field.
Chen Pei (1):
python3-brotli: Add new recipe for 1.0.9
Kory Maincent (1):
openocd: fix build error
Leon Anavi (6):
python3-automat: Upgrade 20.2.0 -> 22.10.0
python3-asttokens: Upgrade 2.0.8 -> 2.1.0
python3-zeroconf: Upgrade 0.39.2 -> 0.39.4
python3-imageio: Upgrade 2.22.2 -> 2.22.3
python3-httplib: Upgrade 0.20.4 -> 0.21.0
python3-twisted: Upgrade 22.8.0 -> 22.10.0
Markus Volk (6):
pugixml: upgrade 1.12 -> 1.13
geary: update 40.0 -> 43.0
rest: upgrade 0.8.1 -> 0.9.0
gnome-online-accounts: update 3.44.0 -> 3.46.0
yelp: use libsoup-3.0 by default
surf: use libsoup-3.0 by default
Martin Jansa (1):
monkey: use git fetcher
Randy MacLeod (1):
nftables: use automake ptest output format
Sakib Sajal (1):
minio: add recipe for minio client
Tim Orling (5):
libcompress-raw-bzip2-perl: upgrade 2.096 -> 2.201
libcompress-raw-lzma-perl: upgrade 2.096 -> 2.201
libcompress-raw-zlib-perl: upgrade 2.096 -> 2.202
libio-compress-lzma-perl: upgrade 2.096 -> 2.201
libio-compress-perl: upgrade 2.096 -> 2.201
Wang Mingyu (43):
python3-lazy-object-proxy: upgrade 1.7.1 -> 1.8.0
python3-luma-oled: upgrade 3.8.1 -> 3.9.0
python3-nmap: upgrade 1.5.4 -> 1.6.0
python3-pint: upgrade 0.20 -> 0.20.1
python3-protobuf: upgrade 4.21.8 -> 4.21.9
python3-pytest-benchmark: upgrade 3.4.1 -> 4.0.0
python3-pytest-html: upgrade 3.1.1 -> 3.2.0
python3-pytest-xdist: upgrade 2.5.0 -> 3.0.2
python3-requests-toolbelt: upgrade 0.10.0 -> 0.10.1
python3-websockets: upgrade 10.3 -> 10.4
fetchmail: Fix buildpaths warning.
libxpresent: upgrade 1.0.0 -> 1.0.1
xkbprint: upgrade 1.0.5 -> 1.0.6
xmlsec1: upgrade 1.2.34 -> 1.2.36
openwsman: Change download branch from master to main.
hwdata: upgrade 0.363 -> 0.364
lcms: upgrade 2.13.1 -> 2.14
libdbd-sqlite-perl: upgrade 1.70 -> 1.72
mosh: upgrade 1.3.2 -> 1.4.0
xfstests: upgrade 2022.10.09 -> 2022.10.30
ulogd2: upgrade 2.0.7 -> 2.0.8
cli11: upgrade 2.3.0 -> 2.3.1
ctags: upgrade 5.9.20221023.0 -> 5.9.20221106.0
valijson: upgrade 0.7 -> 1.0
openvpn: upgrade 2.5.7 -> 2.5.8
poco: upgrade 1.12.3 -> 1.12.4
poppler: upgrade 22.10.0 -> 22.11.0
satyr: upgrade 0.39 -> 0.40
ser1net: upgrade 4.3.8 -> 4.3.9
stunnel: upgrade 5.66 -> 5.67
wolfssl: upgrade 5.5.2 -> 5.5.3
tio: upgrade 2.2 -> 2.3
uhubctl: upgrade 2.4.0 -> 2.5.0
zabbix: upgrade 6.2.3 -> 6.2.4
python3-spidev: upgrade 3.5 -> 3.6
python3-gevent: upgrade 22.10.1 -> 22.10.2
python3-google-auth: upgrade 2.13.0 -> 2.14.0
python3-greenlet: upgrade 1.1.3.post0 -> 2.0.0
python3-robotframework: upgrade 6.0 -> 6.0.1
python3-regex: upgrade 2022.9.13 -> 2022.10.31
python3-pillow: upgrade 9.2.0 -> 9.3.0
python3-paramiko: upgrade 2.11.0 -> 2.12.0
python3-jsonref: upgrade 0.3.0 -> 1.0.1
leimaohui (1):
samba: Fix install conflict with multilib enabled.
zhengrq.fnst@fujitsu.com (5):
python3-sqlalchemy: upgrade 1.4.42 -> 1.4.43
python3-websocket-client: upgrade 1.4.1 -> 1.4.2
python3-termcolor: upgrade 2.0.1 -> 2.1.0
python3-zopeinterface: upgrade 5.5.0 -> 5.5.1
python3-tqdm: upgrade 4.64.0 -> 4.64.1
Signed-off-by: Patrick Williams <patrick@stwcx.xyz>
Change-Id: I0a8f95b57a7b9433fe59a9055a4dae58694c1759
diff --git a/poky/documentation/dev-manual/common-tasks.rst b/poky/documentation/dev-manual/common-tasks.rst
index c747c0d..b9c4675 100644
--- a/poky/documentation/dev-manual/common-tasks.rst
+++ b/poky/documentation/dev-manual/common-tasks.rst
@@ -7157,8 +7157,7 @@
Using RPM
^^^^^^^^^
-The `Dandified Packaging
-Tool <https://en.wikipedia.org/wiki/DNF_(software)>`__ (DNF) performs
+The :wikipedia:`Dandified Packaging <DNF_(software)>` (DNF) performs
runtime package management of RPM packages. In order to use DNF for
runtime package management, you must perform an initial setup on the
target machine for cases where the ``PACKAGE_FEED_*`` variables were not
@@ -7501,7 +7500,7 @@
Creating Node Package Manager (NPM) Packages
--------------------------------------------
-`NPM <https://en.wikipedia.org/wiki/Npm_(software)>`__ is a package
+:wikipedia:`NPM <Npm_(software)>` is a package
manager for the JavaScript programming language. The Yocto Project
supports the NPM :ref:`fetcher <bitbake:bitbake-user-manual/bitbake-user-manual-fetching:fetchers>`. You can
use this fetcher in combination with
@@ -9374,8 +9373,7 @@
- ``task-depends.dot``: A graph showing dependencies between tasks.
-The graphs are in
-`DOT <https://en.wikipedia.org/wiki/DOT_%28graph_description_language%29>`__
+The graphs are in :wikipedia:`DOT <DOT_%28graph_description_language%29>`
format and can be converted to images (e.g. using the ``dot`` tool from
`Graphviz <https://www.graphviz.org/>`__).
@@ -11200,8 +11198,6 @@
- Compilation scripts and modifications to the source code must be
provided.
-- spdx files can be provided.
-
There are other requirements beyond the scope of these three and the
methods described in this section (e.g. the mechanism through which
source code is distributed).
@@ -11392,39 +11388,6 @@
your requirements to include the scripts to control compilation as well
as any modifications to the original source.
-Providing spdx files
-~~~~~~~~~~~~~~~~~~~~~~~~~
-
-The spdx module has been integrated to a layer named meta-spdxscanner.
-meta-spdxscanner provides several kinds of scanner. If you want to enable
-this function, you have to follow the following steps:
-
-1. Add meta-spdxscanner layer into ``bblayers.conf``.
-
-2. Refer to the README in meta-spdxscanner to setup the environment (e.g,
- setup a fossology server) needed for the scanner.
-
-3. Meta-spdxscanner provides several methods within the bbclass to create spdx files.
- Please choose one that you want to use and enable the spdx task. You have to
- add some config options in ``local.conf`` file in your :term:`Build Directory`.
- Here is an example showing how to generate spdx files during BitBake using the
- fossology-python.bbclass::
-
- # Select fossology-python.bbclass.
- INHERIT += "fossology-python"
- # For fossology-python.bbclass, TOKEN is necessary, so, after setup a
- # Fossology server, you have to create a token.
- TOKEN = "eyJ0eXAiO..."
- # The fossology server is necessary for fossology-python.bbclass.
- FOSSOLOGY_SERVER = "http://xx.xx.xx.xx:8081/repo"
- # If you want to upload the source code to a special folder:
- FOLDER_NAME = "xxxx" //Optional
- # If you don't want to put spdx files in tmp/deploy/spdx, you can enable:
- SPDX_DEPLOY_DIR = "${DEPLOY_DIR}" //Optional
-
-For more usage information refer to :yocto_git:`the meta-spdxscanner repository
-</meta-spdxscanner/>`.
-
Compliance Limitations with Executables Built from Static Libraries
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
@@ -11470,7 +11433,7 @@
The Yocto Project has an infrastructure to track and address unfixed
known security vulnerabilities, as tracked by the public
-`Common Vulnerabilities and Exposures (CVE) <https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures>`__
+:wikipedia:`Common Vulnerabilities and Exposures (CVE) <Common_Vulnerabilities_and_Exposures>`
database.
The Yocto Project maintains a `list of known vulnerabilities
@@ -11518,7 +11481,7 @@
analysis, it has been deemed to ignore the issue as it for example affects
the software component on a different operating system platform.
-After build with CVE check enabled, reports for each compiled source recipe will be
+After a build with CVE check enabled, reports for each compiled source recipe will be
found in ``build/tmp/deploy/cve``.
For example the CVE check report for the ``flex-native`` recipe looks like::
@@ -11567,36 +11530,36 @@
some reported CVEs are not for the software component in question, or false negatives like
some CVEs are not found to impact the recipe when they should, then the problems can be
in the recipe name to CVE product mapping. These mapping issues can be fixed by setting
-the :term:`CVE_PRODUCT` variable inside the recipe. This defines the name of software component in the
+the :term:`CVE_PRODUCT` variable inside the recipe. This defines the name of the software component in the
upstream `NIST CVE database <https://nvd.nist.gov/>`__.
The variable supports using vendor and product names like this::
CVE_PRODUCT = "flex_project:flex"
-In this example from the vendor name used in CVE database is ``flex_project`` and
+In this example the vendor name used in the CVE database is ``flex_project`` and the
product is ``flex``. With this setting the ``flex`` recipe only maps to this specific
product and not products from other vendors with same name ``flex``.
-Similary, when the recipe version :term:`PV` is not compatible with software versions used by
+Similarly, when the recipe version :term:`PV` is not compatible with software versions used by
the upstream software component releases and the CVE database, these can be fixed using
-:term:`CVE_VERSION` variable.
+the :term:`CVE_VERSION` variable.
-Note that if the CVE entries in NVD databse contain bugs or have missing or incomplete
+Note that if the CVE entries in the NVD database contain bugs or have missing or incomplete
information, it is recommended to fix the information there directly instead of working
-around the issues for a possibly long time in Poky and OE-Core side recipes. Feedback to
-NVD about CVEs entries can be provided through the `NVD contact form <https://nvd.nist.gov/info/contact-form>`__.
+around the issues possibly for a long time in Poky and OE-Core side recipes. Feedback to
+NVD about CVE entries can be provided through the `NVD contact form <https://nvd.nist.gov/info/contact-form>`__.
Fixing vulnerabilities in recipes
---------------------------------
If a CVE security issue impacts a software component, it can be fixed by updating to a newer
version of the software component or by applying a patch. For Poky and OE-Core master branches, updating
-to newer software component release with fixes is the best option, but patches can be applied
+to a newer software component release with fixes is the best option, but patches can be applied
if releases are not yet available.
For stable branches, it is preferred to apply patches for the issues. For some software
-components minor version updates can also applied if they are backwards compatible.
+components minor version updates can also be applied if they are backwards compatible.
Here is an example of fixing CVE security issues with patch files,
an example from the :oe_layerindex:`ffmpeg recipe</layerindex/recipe/47350>`::
@@ -11610,8 +11573,8 @@
file://fix-CVE-2020-22033-CVE-2020-22019.patch \
file://fix-CVE-2021-33815.patch \
-A good practice is to include the CVE identifier in both patch file name
-and inside the patch file commit message use the format::
+A good practice is to include the CVE identifier in both the patch file name
+and inside the patch file commit message using the format::
CVE: CVE-2020-22033
@@ -11619,7 +11582,7 @@
in the generated reports.
If analysis shows that the CVE issue does not impact the recipe due to configuration, platform,
-version or other reasons, the CVE can be marked as ``Ignored`` using :term:`CVE_CHECK_IGNORE` variable.
+version or other reasons, the CVE can be marked as ``Ignored`` using the :term:`CVE_CHECK_IGNORE` variable.
As mentioned previously, if data in the CVE database is wrong, it is recommend to fix those
issues in the CVE database directly.
@@ -11674,6 +11637,72 @@
- follow public `open source security mailing lists <https://oss-security.openwall.org/wiki/mailing-lists>`__ for
discussions and advance notifications of CVE bugs and software releases with fixes.
+Creating a Software Bill of Materials
+=====================================
+
+Once you are able to build an image for your project, once the licenses for
+each software component are all identified (see
+":ref:`dev-manual/common-tasks:working with licenses`") and once vulnerability
+fixes are applied (see ":ref:`dev-manual/common-tasks:checking
+for vulnerabilities`"), the OpenEmbedded build system can generate
+a description of all the components you used, their licenses, their dependencies,
+the changes that were applied and the known vulnerabilities that were fixed.
+
+This description is generated in the form of a *Software Bill of Materials*
+(:term:`SBOM`), using the :term:`SPDX` standard.
+
+When you release software, this is the most standard way to provide information
+about the Software Supply Chain of your software image and SDK. The
+:term:`SBOM` tooling is often used to ensure open source license compliance by
+providing the license texts used in the product which legal departments and end
+users can read in standardized format.
+
+:term:`SBOM` information is also critical to performing vulnerability exposure
+assessments, as all the components used in the Software Supply Chain are listed.
+
+The OpenEmbedded build system doesn't generate such information by default.
+To make this happen, you must inherit the
+:ref:`create-spdx <ref-classes-create-spdx>` class from a configuration file::
+
+ INHERIT += "create-spdx"
+
+You then get :term:`SPDX` output in JSON format as an
+``IMAGE-MACHINE.spdx.json`` file in ``tmp/deploy/images/MACHINE/`` inside the
+:term:`Build Directory`.
+
+This is a toplevel file accompanied by an ``IMAGE-MACHINE.spdx.index.json``
+containing an index of JSON :term:`SPDX` files for individual recipes, together
+with an ``IMAGE-MACHINE.spdx.tar.zst`` compressed archive containing all such
+files.
+
+The :ref:`create-spdx <ref-classes-create-spdx>` class offers options to include
+more information in the output :term:`SPDX` data, such as making the generated
+files more human readable (:term:`SPDX_PRETTY`), adding compressed archives of
+the files in the generated target packages (:term:`SPDX_ARCHIVE_PACKAGED`),
+adding a description of the source files handled by the target recipes
+(:term:`SPDX_INCLUDE_SOURCES`) and adding archives of these source files
+themselves (:term:`SPDX_ARCHIVE_SOURCES`).
+
+Though the toplevel :term:`SPDX` output is available in
+``tmp/deploy/images/MACHINE/`` inside the :term:`Build Directory`, ancillary
+generated files are available in ``tmp/deploy/spdx/MACHINE`` too, such as:
+
+- The individual :term:`SPDX` JSON files in the ``IMAGE-MACHINE.spdx.tar.zst``
+ archive.
+
+- Compressed archives of the files in the generated target packages,
+ in ``packages/packagename.tar.zst`` (when :term:`SPDX_ARCHIVE_PACKAGED`
+ is set).
+
+- Compressed archives of the source files used to build the host tools
+ and the target packages in ``recipes/recipe-packagename.tar.zst``
+ (when :term:`SPDX_ARCHIVE_SOURCES` is set). Those are needed to fulfill
+ "source code access" license requirements.
+
+See the `tools page <https://spdx.dev/resources/tools/>`__ on the :term:`SPDX`
+project website for a list of tools to consume and transform the :term:`SPDX`
+data generated by the OpenEmbedded build system.
+
Using the Error Reporting Tool
==============================
@@ -11760,7 +11789,7 @@
Using Wayland and Weston
========================
-`Wayland <https://en.wikipedia.org/wiki/Wayland_(display_server_protocol)>`__
+:wikipedia:`Wayland <Wayland_(display_server_protocol)>`
is a computer display server protocol that provides a method for
compositing window managers to communicate directly with applications
and video hardware and expects them to communicate with input hardware
@@ -11769,20 +11798,18 @@
might otherwise achieve.
The Yocto Project provides the Wayland protocol libraries and the
-reference
-`Weston <https://en.wikipedia.org/wiki/Wayland_(display_server_protocol)#Weston>`__
+reference :wikipedia:`Weston <Wayland_(display_server_protocol)#Weston>`
compositor as part of its release. You can find the integrated packages
in the ``meta`` layer of the :term:`Source Directory`.
Specifically, you
can find the recipes that build both Wayland and Weston at
``meta/recipes-graphics/wayland``.
-You can build both the Wayland and Weston packages for use only with
-targets that accept the `Mesa 3D and Direct Rendering
-Infrastructure <https://en.wikipedia.org/wiki/Mesa_(computer_graphics)>`__,
-which is also known as Mesa DRI. This implies that you cannot build and
-use the packages if your target uses, for example, the Intel Embedded
-Media and Graphics Driver (Intel EMGD) that overrides Mesa DRI.
+You can build both the Wayland and Weston packages for use only with targets
+that accept the :wikipedia:`Mesa 3D and Direct Rendering Infrastructure
+<Mesa_(computer_graphics)>`, which is also known as Mesa DRI. This implies that
+you cannot build and use the packages if your target uses, for example, the
+Intel Embedded Media and Graphics Driver (Intel EMGD) that overrides Mesa DRI.
.. note::