| Age | Commit message (Collapse) | Author |
|---|
|
license identifiers
An automated conversion using scripts/contrib/convert-spdx-licenses.py to
convert to use the standard SPDX license identifiers. Two recipes in meta-selftest
were not converted as they're that way specifically for testing. A change in
linux-firmware was also skipped and may need a more manual tweak.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Recently a number of CVEs have been logged against a nodejs project
called "node-tar". These appear as false positives against the GNU tar
being built by Yocto. Some of these have been manually excluded using
CVE_CHECK_WHITELIST.
To avoid this problem, use the vendor name (in addition to package name)
for filtering CVEs. The syntax for this is:
CVE_PRODUCT = "vendor:package"
When not specified, the vendor defaults to "%" which matches anything.
Signed-off-by: Ralph Siemsen <ralph.siemsen@linaro.org>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
|
|
These three CVEs are specific to the Node package node-tar.
exclude: CVE-2021-37701 CVE-2021-37712 CVE-2021-37713
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Add pkgconfig setting for selinux.
Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
These two CVEs are specific to the Node package node-tar.
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
This is the result of automated script conversion:
scripts/contrib/convert-overrides.py <oe-core directory>
converting the metadata to use ":" as the override character instead of "_".
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Signed-off-by: Oleksandr Kravchuk <open.source@oleksandr-kravchuk.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Drop musl fix as upstream fixed the issue.
Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
rsh is insecure and obsolete but tar will enable support if the binary is
on the host system. Some systems point it at ssh. Lets explictly disable it
for now unless someone actually needs/uses this at which point it could
become a packageconfig.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
When the original problem was fixed in gnulib the
patches were rebased on top of the upstream fix...
Signed-off-by: Adrian Bunk <bunk@stusta.de>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
native clashing
The rmt in cpio-native and tar-native is clashing, since
tar-native has set var-NATIVE_PACKAGE_PATH_SUFFIX, we move rmt
to sbindir, and add suffix NATIVE_PACKAGE_PATH_SUFFIX to sbindir
could avoid the clashing.
And in Ubuntu, rmt is in sbindir
$ which rmt
/usr/sbin/rmt
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Signed-off-by: Oleksandr Kravchuk <open.source@oleksandr-kravchuk.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Remove the musl specific do_install, as it's not suitable for this
version.
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Signed-off-by: Andre McCurdy <armccurdy@gmail.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
There's only one user of tar.inc (meta-gplv2 has its own copy), so
merge the .inc file into the tar recipe.
Signed-off-by: Andre McCurdy <armccurdy@gmail.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
1.Upgrade tar from 1.29 to 1.30.
2.Modify musl_dirent.patch, since the data has been changed.
3.Delete CVE-2016-6321.patch, since it is integrated upstream.
Signed-off-by: Huang Qiyu <huangqy.fnst@cn.fujitsu.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
These are recipes where the upstream has moved to GPLv3 and these old
versions are the last ones under the GPLv2 license.
There are several reasons for making this move. There is a different
quality of service with these recipes in that they don't get security
fixes and upstream no longer care about them, in fact they're actively
hostile against people using old versions. The recipes tend to need a
different kind of maintenance to work with changes in the wider ecosystem
and there needs to be isolation between changes made in the v3 versions
and those in the v2 versions.
There are probably better ways to handle a "non-GPLv3" system but right
now having these in OE-Core makes them look like a first class citizen
when I believe they have potential for a variety of undesireable issues.
Moving them into a separate layer makes their different needs clearer, it
also makes it clear how many of these there are. Some are probably not
needed (e.g. mc), I also wonder whether some are useful (e.g. gmp)
since most things that use them are GPLv3 only already. Someone could
now more clearly see how to streamline the list of recipes here.
I'm proposing we mmove to this separate layer for 2.3 with its future
maintinership and testing to be determined in 2.4 and beyond.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Skip members whose names contain "..".
Reference:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6321
Upstream patch:
http://git.savannah.gnu.org/cgit/tar.git/commit/?id=7340f67b9860ea0531c1450e5aa261c50f671
Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
Refresh remove-gets.patch for the latest version.
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
It only considered linux-gnu hosts when cross compiling
here we add linux-musl to the mix as well
Fixes errors e.g.
1.28-r0/tar-1.28/src/tar.c:1351:5: error: 'SAVEDIR_SORT_INODE'
undeclared here (not in a function)
| SAVEDIR_SORT_INODE
| ^
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
|
The currnet patches in OE-core doesn't have the "CVE:"
tag, now part of the policy of the patches.
This is patch add this tag to several patches. There might
be patches that I miss; the tag can be added in the future.
Signed-off-by: Mariano Lopez <mariano.lopez@linux.intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
Don't try to move binaries onto themselves if ${bindir} and
${base_bindir} are the same, as is the case on systems with a
merged /usr directory.
Signed-off-by: Dominic Sacré <dominic.sacre@gmx.de>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
Building tar-replacement-native as replacement of the host's tar in
the standard path was meant to be done manually by a user in
preparation for the regular bitbake run. Such a usage has been
superseeded by installing the pre-compiled buildutils and might have
been broken on hosts which need it by the sanity check for tar >=
1.26.
Therefore tar-replacement-native_1.28.bb can be removed in favor of
adapting the normal tar recipe such that it installs an opt-in binary
under a different path.
The special do_install logic is explicitly limited to class-target,
instead of making it the default and disabling it (which would be the
case for class-native and class-nativesdk).
Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
dpkg-deb accesses tar via "gtar", add a symlink to ensure that nativesdk
for example correctly catches these accesses to tar (for buildtools-tarball).
This likely also fixes on target dpkg-deb usage.
[YOCTO #7988]
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
There would be an error when the TMPDIR is long/deep, for example when
len(TMPDIR) = 410 while our supported longest value is 410:
aclocal: error: cannot open xxx
autoreconf: aclocal failed with exit status: 1
ERROR: autoreconf execution failed.
Let aclocal use the relative path for the m4 file rather than the
absolute would fix the problem.
[YOCTO #6138]
Signed-off-by: Chong Lu <Chong.Lu@windriver.com>
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
WARNING: QA Issue: tar: configure was passed unrecognised options: --without-posix-acls [unknown-configure-option]
tar 1.17 doesn't support --without-posix-acls, move it from tar.inc to
tar_1.28.bb to fix the problem.
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
|
|
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
The class itself currently does nothing. The idea is to mark all recipes that
make use of the texinfo utilities. In the future, this class could be used to
suppress the generation/formatting of documentation for performance,
explicitly track dependencies on these utilities, and eliminate Yocto's
current dependency on the host system's texinfo utilities.
Signed-off-by: Max Eliaser <max.eliaser@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Previously, it still was checked when there was no sys/acl.h in sysroots directory.
Add knob to decide whether acl.h are checked or not.
Fixed by using PACKAGECONFIG to check acl, with default disabled set.
Signed-off-by: Chong Lu <Chong.Lu@windriver.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Signed-off-by: Laurentiu Palcu <laurentiu.palcu@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Refreshed remove-gets.patch to apply correctly.
Signed-off-by: Laurentiu Palcu <laurentiu.palcu@intel.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
|
|
This removed patch is a workaround for gcc-4.5 manifests buffer
overflow with app-arch/tar-1.{22,23}, according to the information
from https://bugs.gentoo.org/show_bug.cgi?id=317139.
The problem with that patch is that it's only setting the magic
field of the header while the original statement sets both the magic
and the version field of the header. Because of this, all tar balls
created by the tar package in OE will be treated as old V7 format
tar balls.
As a negative effect of this behaviour, the tar package in OE cannot
handle device files correctly. This in turn leads to the udev cache
failure in images like core-image-lsb-sdk.
[YOCTO #4815]
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
|
|
We move tar into /bin for target but it can stay in /usr/bin for nativesdk
this will also mean the paths are correct for the buildtools-tarball environment
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
We need to be able to generate a standalone tarball containing tar/git so
add nativesdk versions of the appropriate recipes to allow this to be possible.
Tweak the git perl paths to avoid warnings when building the nativesdk version,
ensure the binaries are wrapped correctly and avoid update-alternatives in
nativesdk-tar.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
See https://qa.mandriva.com/show_bug.cgi?id=61419 for details.
Signed-off-by: Christopher Larson <chris_larson@mentor.com>
the patch was imported from meta-mentor layer on yoctoproject git server
http://git.yoctoproject.org/cgit/cgit.cgi/meta-mentor as of commit id
333d2e0510a1e052cb83a6f8beed6d8bcea59b2c
Signed-off-by: Fahad Usman <fahad_usman@mentor.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
After the recent change of the libexecdir definition, the update-alternatives
for the libexec rmt broke. Fix this by moving rmt from libexec to /sbin. Also
split the rmt app from tar as it's likely not useful to many users.
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
|
|
automake 1.12.x automatically deletes empty directories, so
the additional rmdir from the do_install_append fails.
cleanup the do_install_append for automake 1.12.x
Avoid this error:
| rmdir: failed to remove `/srv/home/nitin/builds/build-gcc47/tmp/work/i586-poky-linux/tar-1.26-r1/image/usr/sbin/': No such file or directory
NOTE: package tar-1.26-r1: task do_install: Failed
no PR bump as no change in the output.
Signed-off-by: Nitin A Kamble <nitin.a.kamble@intel.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
eglibc 2.16 does not export gets anymore
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
|
|
WARNING: For recipe tar, the following files/directories were installed but not shipped in any package:
WARNING: /usr/sbin
WARNING: /usr/bin
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
As discussed on the mailing list, this variable isn't useful and if wanted
would be better implemented by distros using pn-X overrides.
This patch executes:
find . -regex ".*\.\(bb\|inc\)$" | xargs sed -i '/^PRIORITY = ".*"$/d'
against the tree removing the referenced. Thanks to Phil Blundell for
the command.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Signed-off-by: Scott Garman <scott.a.garman@intel.com>
|
|
grep-2.5.1a: update upstream status of patches
tar-1.17: update upstream-status of patches
at-3.1.12: update upstream-status for patches
cpio-2.8: update upstream-status for patches
Signed-off-by: Nitin A Kamble <nitin.a.kamble@intel.com>
|
|
Signed-off-by: Nitin A Kamble <nitin.a.kamble@intel.com>
|
|
This fixes bug [YOCTO #982]
Signed-off-by: Nitin A Kamble <nitin.a.kamble@intel.com>
|
|
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
tar < 1.24 has symlink issues where extracting a tar archive containing a symlink
to a directory where that symlink already exists will cause the symlink to be
dereferenced. If that target doesn't exist tar can fail with a permissions error.
Since we need to be able to do this for packages containing symlinks like
xorg-minimal-fonts and eglibc, we have to ensure a tar 1.25 is available early
in the build process.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Add Summary information and update descriptions as necessary.
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
|
|
Signed-off-by: Scott Garman <scott.a.garman@intel.com>
|
Richard Purdie
Ralph Siemsen
Armin Kuster
Mingli Yu
Ross Burton
Oleksandr Kravchuk
Alexander Kanavin
Adrian Bunk
Hongxu Jia
Chen Qi
Andre McCurdy
Huang Qiyu
Sona Sarmadi
Khem Raj
Mariano Lopez
Dominic Sacré
Patrick Ohly
Chong Lu
Robert Yang
Max Eliaser
Laurentiu Palcu
Saul Wold
Fahad Usman
Mark Hatle
Nitin A Kamble
Scott Garman