poky: subtree update:a616ffebdc..9052e5b32a
Adrian Bunk (1):
bind: Whitelist CVE-2019-6470
Alexander Kanavin (13):
python: update to 2.7.17
tiff: update to 4.1.0
librepo: upgrade 1.10.6 -> 1.11.0
btrfs-tools: upgrade 5.3 -> 5.3.1
psmisc: update to 23.3
libxslt: update to 1.1.34
Revert "devtool/standard.py: Not filtering devtool workspace for devtool finish"
mpg123: upgrade 1.25.12 -> 1.25.13
vala: upgrade 0.46.3 -> 0.46.4
sysstat: upstream version check is working again
cairo: the component is dual licensed
selftest: check that 'devtool upgrade' correctly drops backported patches
runqemu: add options that enable virgl with the SDL frontend
Alistair Francis (1):
mesa: Upgrade to 19.2.4
Anuj Mittal (7):
boost: fix build for x32
rng-tools: upgrade 6.7 -> 6.8
harfbuzz: upgrade 2.6.1 -> 2.6.4
libsolv: upgrade 0.7.6 -> 0.7.8
sqlite3: upgrade 3.30.0 -> 3.30.1
stress-ng: upgrade 0.10.08 -> 0.10.10
glib-2.0: upgrade 2.62.1 -> 2.62.2
Armin Kuster (9):
oeqa/manual/bsp-hw: remove rpm -ivh test
oeqa/runtime/boot: add reboot test
oeqa/manual/bsp-hw: remove reboot test
oeqa/manual/bsp-hw: move storage tests to runtime
oeqa/manual/bsp-hw: remove usb and SDmicro tests
manual/bsd-hw: remove bash tests
oeqa/manual/compliance-test: remove crashme tests
oeqa/manual/compliance-test: move crashme to runtime
/oeqa/manual/compliance-test: remove obsolete test
Chee Yang Lee (2):
wic: rm with -r flag support
selftest/wic: test wic rm with -r flag
Denys Dmytriyenko (1):
distro_features_check: expand with MACHINE_FEATURES and COMBINED_FEATURES, rename
Kai Kang (1):
systemd: remove ${PN}-xorg-xinitrc
Khem Raj (1):
webkitgtk: Remove clang specific option
Paul Barker (1):
cdrtools-native: Don't set uid/gid during install
Paul Eggleton (1):
devtool: fix devtool upgrade with reproducible_builds class
Richard Purdie (10):
oeqa/devtool: Avoid unbound variable errors
recipetool/create: Fix to work with reproducible_builds
opkg: Add upstream fixes for empty packages
opkg-utils: Fix silent empty/broken opkg package creation
core-image-full-cmdline: Add less
bitbake: fetch2/clearcase: Fix warnings from python 3.8
bitbake: runqueue: Fix hash equivalence duplicate tasks running
sanity: Add check for tar older than 1.28
oeqa/selftest/sstatetests: Ensure we don't use hashequiv for sstatesigs tests
package_ipk: Remove pointless comment to trigger rebuild
Ross Burton (8):
cve-update-db-native: don't hardcode the database name
cve-update-db-native: add an index on the CVE ID column
cve-update-db-native: clean up proxy handling
cve-check: rewrite look to fix false negatives
cve-check: neaten get_cve_info
cve-check: fetch CVE data once at a time instead of in a single call
bitbake: tests: add test for the hashing functions
bitbake: utils: also use mmap for SHA256 and SHA1, for performance
Yi Zhao (1):
bitbake: contrib/vim/indent/bitbake.vim: move it to correct directory
Change-Id: I526155f21145180c764252a2ae5bfba33def10ff
Signed-off-by: Brad Bishop <bradleyb@fuzziesquirrel.com>
diff --git a/poky/meta/classes/cve-check.bbclass b/poky/meta/classes/cve-check.bbclass
index 3326944..19ed554 100644
--- a/poky/meta/classes/cve-check.bbclass
+++ b/poky/meta/classes/cve-check.bbclass
@@ -165,7 +165,6 @@
"""
Connect to the NVD database and find unpatched cves.
"""
- import ast, csv, tempfile, subprocess, io
from distutils.version import LooseVersion
cves_unpatched = []
@@ -187,68 +186,74 @@
cve_whitelist = d.getVar("CVE_CHECK_WHITELIST").split()
import sqlite3
- db_file = d.getVar("CVE_CHECK_DB_FILE")
- conn = sqlite3.connect(db_file)
+ db_file = d.expand("file:${CVE_CHECK_DB_FILE}?mode=ro")
+ conn = sqlite3.connect(db_file, uri=True)
+ # For each of the known product names (e.g. curl has CPEs using curl and libcurl)...
for product in products:
- c = conn.cursor()
if ":" in product:
vendor, product = product.split(":", 1)
- c.execute("SELECT * FROM PRODUCTS WHERE PRODUCT IS ? AND VENDOR IS ?", (product, vendor))
else:
- c.execute("SELECT * FROM PRODUCTS WHERE PRODUCT IS ?", (product,))
+ vendor = "%"
- for row in c:
- cve = row[0]
- version_start = row[3]
- operator_start = row[4]
- version_end = row[5]
- operator_end = row[6]
+ # Find all relevant CVE IDs.
+ for cverow in conn.execute("SELECT DISTINCT ID FROM PRODUCTS WHERE PRODUCT IS ? AND VENDOR LIKE ?", (product, vendor)):
+ cve = cverow[0]
if cve in cve_whitelist:
bb.note("%s-%s has been whitelisted for %s" % (product, pv, cve))
# TODO: this should be in the report as 'whitelisted'
patched_cves.add(cve)
+ continue
elif cve in patched_cves:
bb.note("%s has been patched" % (cve))
- else:
- to_append = False
+ continue
+
+ vulnerable = False
+ for row in conn.execute("SELECT * FROM PRODUCTS WHERE ID IS ? AND PRODUCT IS ? AND VENDOR LIKE ?", (cve, product, vendor)):
+ (_, _, _, version_start, operator_start, version_end, operator_end) = row
+ #bb.debug(2, "Evaluating row " + str(row))
+
if (operator_start == '=' and pv == version_start):
- to_append = True
+ vulnerable = True
else:
if operator_start:
try:
- to_append_start = (operator_start == '>=' and LooseVersion(pv) >= LooseVersion(version_start))
- to_append_start |= (operator_start == '>' and LooseVersion(pv) > LooseVersion(version_start))
+ vulnerable_start = (operator_start == '>=' and LooseVersion(pv) >= LooseVersion(version_start))
+ vulnerable_start |= (operator_start == '>' and LooseVersion(pv) > LooseVersion(version_start))
except:
bb.warn("%s: Failed to compare %s %s %s for %s" %
(product, pv, operator_start, version_start, cve))
- to_append_start = False
+ vulnerable_start = False
else:
- to_append_start = False
+ vulnerable_start = False
if operator_end:
try:
- to_append_end = (operator_end == '<=' and LooseVersion(pv) <= LooseVersion(version_end))
- to_append_end |= (operator_end == '<' and LooseVersion(pv) < LooseVersion(version_end))
+ vulnerable_end = (operator_end == '<=' and LooseVersion(pv) <= LooseVersion(version_end))
+ vulnerable_end |= (operator_end == '<' and LooseVersion(pv) < LooseVersion(version_end))
except:
bb.warn("%s: Failed to compare %s %s %s for %s" %
(product, pv, operator_end, version_end, cve))
- to_append_end = False
+ vulnerable_end = False
else:
- to_append_end = False
+ vulnerable_end = False
if operator_start and operator_end:
- to_append = to_append_start and to_append_end
+ vulnerable = vulnerable_start and vulnerable_end
else:
- to_append = to_append_start or to_append_end
+ vulnerable = vulnerable_start or vulnerable_end
- if to_append:
+ if vulnerable:
bb.note("%s-%s is vulnerable to %s" % (product, pv, cve))
cves_unpatched.append(cve)
- else:
- bb.note("%s-%s is not vulnerable to %s" % (product, pv, cve))
- patched_cves.add(cve)
+ break
+
+ if not vulnerable:
+ bb.note("%s-%s is not vulnerable to %s" % (product, pv, cve))
+ # TODO: not patched but not vulnerable
+ patched_cves.add(cve)
+
conn.close()
return (list(patched_cves), cves_unpatched)
@@ -256,31 +261,23 @@
def get_cve_info(d, cves):
"""
Get CVE information from the database.
-
- Unfortunately the only way to get CVE info is set the output to
- html (hard to parse) or query directly the database.
"""
- try:
- import sqlite3
- except ImportError:
- from pysqlite2 import dbapi2 as sqlite3
+ import sqlite3
cve_data = {}
- db_file = d.getVar("CVE_CHECK_DB_FILE")
- placeholder = ",".join("?" * len(cves))
- query = "SELECT * FROM NVD WHERE id IN (%s)" % placeholder
- conn = sqlite3.connect(db_file)
- cur = conn.cursor()
- for row in cur.execute(query, tuple(cves)):
- cve_data[row[0]] = {}
- cve_data[row[0]]["summary"] = row[1]
- cve_data[row[0]]["scorev2"] = row[2]
- cve_data[row[0]]["scorev3"] = row[3]
- cve_data[row[0]]["modified"] = row[4]
- cve_data[row[0]]["vector"] = row[5]
- conn.close()
+ conn = sqlite3.connect(d.getVar("CVE_CHECK_DB_FILE"))
+ for cve in cves:
+ for row in conn.execute("SELECT * FROM NVD WHERE ID IS ?", (cve,)):
+ cve_data[row[0]] = {}
+ cve_data[row[0]]["summary"] = row[1]
+ cve_data[row[0]]["scorev2"] = row[2]
+ cve_data[row[0]]["scorev3"] = row[3]
+ cve_data[row[0]]["modified"] = row[4]
+ cve_data[row[0]]["vector"] = row[5]
+
+ conn.close()
return cve_data
def cve_write_data(d, patched, unpatched, cve_data):
diff --git a/poky/meta/classes/distro_features_check.bbclass b/poky/meta/classes/distro_features_check.bbclass
index eeaa3b4..8124a8c 100644
--- a/poky/meta/classes/distro_features_check.bbclass
+++ b/poky/meta/classes/distro_features_check.bbclass
@@ -1,32 +1,7 @@
-# Allow checking of required and conflicting DISTRO_FEATURES
-#
-# ANY_OF_DISTRO_FEATURES: ensure at least one item on this list is included
-# in DISTRO_FEATURES.
-# REQUIRED_DISTRO_FEATURES: ensure every item on this list is included
-# in DISTRO_FEATURES.
-# CONFLICT_DISTRO_FEATURES: ensure no item in this list is included in
-# DISTRO_FEATURES.
-#
-# Copyright 2013 (C) O.S. Systems Software LTDA.
+# Temporarily provide fallback to the old name of the class
-python () {
- # Assume at least one var is set.
- distro_features = set((d.getVar('DISTRO_FEATURES') or '').split())
-
- any_of_distro_features = set((d.getVar('ANY_OF_DISTRO_FEATURES') or '').split())
- if any_of_distro_features:
- if set.isdisjoint(any_of_distro_features, distro_features):
- raise bb.parse.SkipRecipe("one of '%s' needs to be in DISTRO_FEATURES" % ' '.join(any_of_distro_features))
-
- required_distro_features = set((d.getVar('REQUIRED_DISTRO_FEATURES') or '').split())
- if required_distro_features:
- missing = set.difference(required_distro_features, distro_features)
- if missing:
- raise bb.parse.SkipRecipe("missing required distro feature%s '%s' (not in DISTRO_FEATURES)" % ('s' if len(missing) > 1 else '', ' '.join(missing)))
-
- conflict_distro_features = set((d.getVar('CONFLICT_DISTRO_FEATURES') or '').split())
- if conflict_distro_features:
- conflicts = set.intersection(conflict_distro_features, distro_features)
- if conflicts:
- raise bb.parse.SkipRecipe("conflicting distro feature%s '%s' (in DISTRO_FEATURES)" % ('s' if len(conflicts) > 1 else '', ' '.join(conflicts)))
+python __anonymous() {
+ bb.warn("distro_features_check.bbclass is deprecated, please use features_check.bbclass instead")
}
+
+inherit features_check
diff --git a/poky/meta/classes/features_check.bbclass b/poky/meta/classes/features_check.bbclass
new file mode 100644
index 0000000..391fbe1
--- /dev/null
+++ b/poky/meta/classes/features_check.bbclass
@@ -0,0 +1,85 @@
+# Allow checking of required and conflicting DISTRO_FEATURES
+#
+# ANY_OF_DISTRO_FEATURES: ensure at least one item on this list is included
+# in DISTRO_FEATURES.
+# REQUIRED_DISTRO_FEATURES: ensure every item on this list is included
+# in DISTRO_FEATURES.
+# CONFLICT_DISTRO_FEATURES: ensure no item in this list is included in
+# DISTRO_FEATURES.
+# ANY_OF_MACHINE_FEATURES: ensure at least one item on this list is included
+# in MACHINE_FEATURES.
+# REQUIRED_MACHINE_FEATURES: ensure every item on this list is included
+# in MACHINE_FEATURES.
+# CONFLICT_MACHINE_FEATURES: ensure no item in this list is included in
+# MACHINE_FEATURES.
+# ANY_OF_COMBINED_FEATURES: ensure at least one item on this list is included
+# in COMBINED_FEATURES.
+# REQUIRED_COMBINED_FEATURES: ensure every item on this list is included
+# in COMBINED_FEATURES.
+# CONFLICT_COMBINED_FEATURES: ensure no item in this list is included in
+# COMBINED_FEATURES.
+#
+# Copyright 2019 (C) Texas Instruments Inc.
+# Copyright 2013 (C) O.S. Systems Software LTDA.
+
+python () {
+ # Assume at least one var is set.
+ distro_features = set((d.getVar('DISTRO_FEATURES') or '').split())
+
+ any_of_distro_features = set((d.getVar('ANY_OF_DISTRO_FEATURES') or '').split())
+ if any_of_distro_features:
+ if set.isdisjoint(any_of_distro_features, distro_features):
+ raise bb.parse.SkipRecipe("one of '%s' needs to be in DISTRO_FEATURES" % ' '.join(any_of_distro_features))
+
+ required_distro_features = set((d.getVar('REQUIRED_DISTRO_FEATURES') or '').split())
+ if required_distro_features:
+ missing = set.difference(required_distro_features, distro_features)
+ if missing:
+ raise bb.parse.SkipRecipe("missing required distro feature%s '%s' (not in DISTRO_FEATURES)" % ('s' if len(missing) > 1 else '', ' '.join(missing)))
+
+ conflict_distro_features = set((d.getVar('CONFLICT_DISTRO_FEATURES') or '').split())
+ if conflict_distro_features:
+ conflicts = set.intersection(conflict_distro_features, distro_features)
+ if conflicts:
+ raise bb.parse.SkipRecipe("conflicting distro feature%s '%s' (in DISTRO_FEATURES)" % ('s' if len(conflicts) > 1 else '', ' '.join(conflicts)))
+
+ # Assume at least one var is set.
+ machine_features = set((d.getVar('MACHINE_FEATURES') or '').split())
+
+ any_of_machine_features = set((d.getVar('ANY_OF_MACHINE_FEATURES') or '').split())
+ if any_of_machine_features:
+ if set.isdisjoint(any_of_machine_features, machine_features):
+ raise bb.parse.SkipRecipe("one of '%s' needs to be in MACHINE_FEATURES" % ' '.join(any_of_machine_features))
+
+ required_machine_features = set((d.getVar('REQUIRED_MACHINE_FEATURES') or '').split())
+ if required_machine_features:
+ missing = set.difference(required_machine_features, machine_features)
+ if missing:
+ raise bb.parse.SkipRecipe("missing required machine feature%s '%s' (not in MACHINE_FEATURES)" % ('s' if len(missing) > 1 else '', ' '.join(missing)))
+
+ conflict_machine_features = set((d.getVar('CONFLICT_MACHINE_FEATURES') or '').split())
+ if conflict_machine_features:
+ conflicts = set.intersection(conflict_machine_features, machine_features)
+ if conflicts:
+ raise bb.parse.SkipRecipe("conflicting machine feature%s '%s' (in MACHINE_FEATURES)" % ('s' if len(conflicts) > 1 else '', ' '.join(conflicts)))
+
+ # Assume at least one var is set.
+ combined_features = set((d.getVar('COMBINED_FEATURES') or '').split())
+
+ any_of_combined_features = set((d.getVar('ANY_OF_COMBINED_FEATURES') or '').split())
+ if any_of_combined_features:
+ if set.isdisjoint(any_of_combined_features, combined_features):
+ raise bb.parse.SkipRecipe("one of '%s' needs to be in COMBINED_FEATURES" % ' '.join(any_of_combined_features))
+
+ required_combined_features = set((d.getVar('REQUIRED_COMBINED_FEATURES') or '').split())
+ if required_combined_features:
+ missing = set.difference(required_combined_features, combined_features)
+ if missing:
+ raise bb.parse.SkipRecipe("missing required machine feature%s '%s' (not in COMBINED_FEATURES)" % ('s' if len(missing) > 1 else '', ' '.join(missing)))
+
+ conflict_combined_features = set((d.getVar('CONFLICT_COMBINED_FEATURES') or '').split())
+ if conflict_combined_features:
+ conflicts = set.intersection(conflict_combined_features, combined_features)
+ if conflicts:
+ raise bb.parse.SkipRecipe("conflicting machine feature%s '%s' (in COMBINED_FEATURES)" % ('s' if len(conflicts) > 1 else '', ' '.join(conflicts)))
+}
diff --git a/poky/meta/classes/package_ipk.bbclass b/poky/meta/classes/package_ipk.bbclass
index 9f9da2f..4f23977 100644
--- a/poky/meta/classes/package_ipk.bbclass
+++ b/poky/meta/classes/package_ipk.bbclass
@@ -154,7 +154,6 @@
ctrlfile.write('%s\n' % textwrap.fill(description, width=74, initial_indent=' ', subsequent_indent=' '))
else:
ctrlfile.write(c % tuple(pullData(fs, localdata)))
- # more fields
custom_fields_chunk = get_package_additional_metadata("ipk", localdata)
if custom_fields_chunk is not None:
diff --git a/poky/meta/classes/sanity.bbclass b/poky/meta/classes/sanity.bbclass
index a14bf53..63ab6cf 100644
--- a/poky/meta/classes/sanity.bbclass
+++ b/poky/meta/classes/sanity.bbclass
@@ -523,6 +523,7 @@
# Tar version 1.24 and onwards handle overwriting symlinks correctly
# but earlier versions do not; this needs to work properly for sstate
+# Version 1.28 is needed so opkg-build works correctly when reproducibile builds are enabled
def check_tar_version(sanity_data):
from distutils.version import LooseVersion
import subprocess
@@ -532,7 +533,9 @@
return "Unable to execute tar --version, exit code %d\n%s\n" % (e.returncode, e.output)
version = result.split()[3]
if LooseVersion(version) < LooseVersion("1.24"):
- return "Your version of tar is older than 1.24 and has bugs which will break builds. Please install a newer version of tar.\n"
+ return "Your version of tar is older than 1.24 and has bugs which will break builds. Please install a newer version of tar (1.28+).\n"
+ if LooseVersion(version) < LooseVersion("1.28"):
+ return "Your version of tar is older than 1.28 and does not have the support needed to enable reproducible builds. Please install a newer version of tar (you could use the projects buildtools-tarball from our last release).\n"
return None
# We use git parameters and functionality only found in 1.7.8 or later