[hardknott] [PATCH 1/5] expat: set CVE_PRODUCT

[hardknott] [PATCH 1/5] expat: set CVE_PRODUCT

[Richard Purdie]

From: Steve Sakoman <steve@sakoman.com>

Upstream database uses both "expat" and "libexpat" to report CVEs

Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
---
 meta/recipes-core/expat/expat_2.2.10.bb | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/meta/recipes-core/expat/expat_2.2.10.bb b/meta/recipes-core/expat/expat_2.2.10.bb
index fa263775b39..a54d832e52d 100644
--- a/meta/recipes-core/expat/expat_2.2.10.bb
+++ b/meta/recipes-core/expat/expat_2.2.10.bb
@@ -25,3 +25,5 @@ do_install_ptest_class-target() {
 }
 
 BBCLASSEXTEND += "native nativesdk"
+
+CVE_PRODUCT = "expat libexpat"
-- 
2.30.2

[hardknott] [PATCH 2/5] flex: correct license information

[Richard Purdie]

From: Nikolay Papenkov <n.papenkov@inango-systems.com>

License-Update: Corrected license information

flex package is under two licenses:
- "BSD-3-Clause" is provided in top-level COPYING file; the license
  actually include third obligation (without the actual "3" numbering)
- "LGPL-2.0+" is explained by src/gettext.h

Signed-off-by: Dmitry Kisil <d.kisil@inango-systems.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
---
 meta/recipes-devtools/flex/flex_2.6.4.bb | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/meta/recipes-devtools/flex/flex_2.6.4.bb b/meta/recipes-devtools/flex/flex_2.6.4.bb
index 1d43d2228ac..54e7e01729d 100644
--- a/meta/recipes-devtools/flex/flex_2.6.4.bb
+++ b/meta/recipes-devtools/flex/flex_2.6.4.bb
@@ -3,12 +3,14 @@ DESCRIPTION = "Flex is a fast lexical analyser generator.  Flex is a tool for ge
 lexical patterns in text."
 HOMEPAGE = "http://sourceforge.net/projects/flex/"
 SECTION = "devel"
-LICENSE = "BSD-2-Clause"
+LICENSE = "BSD-3-Clause & LGPL-2.0+"
+LICENSE_${PN}-libfl = "BSD-3-Clause"
 
 DEPENDS = "${@bb.utils.contains('PTEST_ENABLED', '1', 'bison-native flex-native', '', d)}"
 BBCLASSEXTEND = "native nativesdk"
 
-LIC_FILES_CHKSUM = "file://COPYING;md5=e4742cf92e89040b39486a6219b68067"
+LIC_FILES_CHKSUM = "file://COPYING;md5=e4742cf92e89040b39486a6219b68067 \
+                    file://src/gettext.h;beginline=1;endline=17;md5=9c05dda2f58d89b850c399cf22e1a00c"
 
 SRC_URI = "https://github.com/westes/flex/releases/download/v${PV}/flex-${PV}.tar.gz \
            file://run-ptest \
-- 
2.30.2

[hardknott] [PATCH 3/5] pkgconfig: update SRC_URI

[Richard Purdie]

From: Changqing Li <changqing.li@windriver.com>

The git repo for pkg-config was changed, so update the
SRC_URI accordingly with the new link.

Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
---
 meta/recipes-devtools/pkgconfig/pkgconfig_git.bb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta/recipes-devtools/pkgconfig/pkgconfig_git.bb b/meta/recipes-devtools/pkgconfig/pkgconfig_git.bb
index 52ef2a97793..7bf68082b26 100644
--- a/meta/recipes-devtools/pkgconfig/pkgconfig_git.bb
+++ b/meta/recipes-devtools/pkgconfig/pkgconfig_git.bb
@@ -11,7 +11,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263"
 SRCREV = "edf8e6f0ea77ede073f07bff0d2ae1fc7a38103b"
 PV = "0.29.2+git${SRCPV}"
 
-SRC_URI = "git://anongit.freedesktop.org/pkg-config \
+SRC_URI = "git://gitlab.freedesktop.org/pkg-config/pkg-config.git;branch=master;protocol=https \
            file://pkg-config-esdk.in \
            file://pkg-config-native.in \
            file://fix-glib-configure-libtool-usage.patch \
-- 
2.30.2

[hardknott] [PATCH 4/5] package_rpm: pass XZ_THREADS to rpm

[Richard Purdie]

From: Ross Burton <ross@burtonini.com>

By default RPM uses the number of cores as the number of threads to use,
which can result in quite antisocial memory usage.

As we control the macros for compression anyway, we can pass XZ_THREADS
to limit the number of threads if needed.

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
---
 meta/classes/package_rpm.bbclass | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/meta/classes/package_rpm.bbclass b/meta/classes/package_rpm.bbclass
index 84a9a6dd12f..86706da842e 100644
--- a/meta/classes/package_rpm.bbclass
+++ b/meta/classes/package_rpm.bbclass
@@ -684,8 +684,8 @@ python do_package_rpm () {
     cmd = cmd + " --define '_use_internal_dependency_generator 0'"
     cmd = cmd + " --define '_binaries_in_noarch_packages_terminate_build 0'"
     cmd = cmd + " --define '_build_id_links none'"
-    cmd = cmd + " --define '_binary_payload w6T.xzdio'"
-    cmd = cmd + " --define '_source_payload w6T.xzdio'"
+    cmd = cmd + " --define '_binary_payload w6T%d.xzdio'" % int(d.getVar("XZ_THREADS"))
+    cmd = cmd + " --define '_source_payload w6T%d.xzdio'" % int(d.getVar("XZ_THREADS"))
     cmd = cmd + " --define 'clamp_mtime_to_source_date_epoch 1'"
     cmd = cmd + " --define 'use_source_date_epoch_as_buildtime 1'"
     cmd = cmd + " --define '_buildhost reproducible'"
-- 
2.30.2

[hardknott] [PATCH 5/5] oeqa/runtime/rpm: Drop log message counting test component

[Richard Purdie]

This test is flawed since multiple parts of the system can write to the log
and we obtain different numbers of log messages depending on factors we
can't control.

Drop the log testing component of the test.

[YOCTO #12465]

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
---
 meta/lib/oeqa/runtime/cases/rpm.py | 9 ---------
 1 file changed, 9 deletions(-)

diff --git a/meta/lib/oeqa/runtime/cases/rpm.py b/meta/lib/oeqa/runtime/cases/rpm.py
index 8e18b426f8b..7a9d62c0038 100644
--- a/meta/lib/oeqa/runtime/cases/rpm.py
+++ b/meta/lib/oeqa/runtime/cases/rpm.py
@@ -141,13 +141,4 @@ class RpmInstallRemoveTest(OERuntimeTestCase):
 
         self.tc.target.run('rm -f %s' % self.dst)
 
-        # if using systemd this should ensure all entries are flushed to /var
-        status, output = self.target.run("journalctl --sync")
-        # Get the amount of entries in the log file
-        status, output = self.target.run(check_log_cmd)
-        msg = 'Failed to get the final size of the log file.'
-        self.assertEqual(0, status, msg=msg)
 
-        # Check that there's enough of them
-        self.assertGreaterEqual(int(output), 80,
-                                   'Cound not find sufficient amount of rpm entries in /var/log/messages, found {} entries'.format(output))
-- 
2.30.2

Re: [OE-core] [hardknott] [PATCH 1/5] expat: set CVE_PRODUCT

[Michael Opdenacker]

Hi Richard,

On 6/2/21 3:27 PM, Richard Purdie wrote:
> --- a/meta/recipes-core/expat/expat_2.2.10.bb
> +++ b/meta/recipes-core/expat/expat_2.2.10.bb
> @@ -25,3 +25,5 @@ do_install_ptest_class-target() {
>  }
>  
>  BBCLASSEXTEND += "native nativesdk"
> +
> +CVE_PRODUCT = "expat libexpat"


Oops, this variable doesn't appear in the documentation and more
generally CVE management doesn't seem to be documented.

Your comments and suggestions are welcome. I created a new bug
(https://bugzilla.yoctoproject.org/show_bug.cgi?id=14419) to track this.

Cheers,

Michael.

-- 
Michael Opdenacker, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com

Re: [OE-core] [hardknott] [PATCH 1/5] expat: set CVE_PRODUCT

[Richard Purdie]

On Wed, 2021-06-02 at 16:34 +0200, Michael Opdenacker wrote:
> Hi Richard,
> 
> On 6/2/21 3:27 PM, Richard Purdie wrote:
> > --- a/meta/recipes-core/expat/expat_2.2.10.bb
> > +++ b/meta/recipes-core/expat/expat_2.2.10.bb
> > @@ -25,3 +25,5 @@ do_install_ptest_class-target() {
> >  }
> >  
> > 
> > 
> > 
> >  BBCLASSEXTEND += "native nativesdk"
> > +
> > +CVE_PRODUCT = "expat libexpat"
> 
> 
> Oops, this variable doesn't appear in the documentation and more
> generally CVE management doesn't seem to be documented.
> 
> Your comments and suggestions are welcome. I created a new bug
> (https://bugzilla.yoctoproject.org/show_bug.cgi?id=14419) to track this.

It isn't documented and should be. Having the bug is good and we should 
fix/improve this.

Cheers,

Richard

Re: [OE-core] [hardknott] [PATCH 1/5] expat: set CVE_PRODUCT

[Michael Opdenacker]

Hi Richard,

On 6/3/21 12:36 AM, Richard Purdie wrote:
>> Oops, this variable doesn't appear in the documentation and more
>> generally CVE management doesn't seem to be documented.
>>
>> Your comments and suggestions are welcome. I created a new bug
>> (https://bugzilla.yoctoproject.org/show_bug.cgi?id=14419) to track this.
> It isn't documented and should be. Having the bug is good and we should 
> fix/improve this.


Great, thanks for confirming this!
Cheers,
Michael.

>
> Cheers,
>
> Richard
>
>
> 
>
-- 
Michael Opdenacker, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com