All of lore.kernel.org
 help / color / mirror / Atom feed
From: Stefano Babic <sbabic@denx.de>
To: Richard Purdie <richard.purdie@linuxfoundation.org>,
	Stefano Babic <sbabic@denx.de>,
	Mike Looijmans <mike.looijmans@topic.nl>,
	openembedded-core@lists.openembedded.org
Cc: Steve Sakoman <steve@sakoman.com>
Subject: Re: [OE-core] Git and pseudo
Date: Wed, 27 Apr 2022 12:48:28 +0200	[thread overview]
Message-ID: <9fd491f6-b410-805a-1375-a7a137c8fe68@denx.de> (raw)
In-Reply-To: <24e9cfaa101ed3c4f1eb227cfee43a14ee475ecf.camel@linuxfoundation.org>

On 27.04.22 12:22, Richard Purdie wrote:
> On Wed, 2022-04-27 at 08:47 +0200, Stefano Babic wrote:
>> Hi Mike, Richard,
>>
>> On 26.04.22 11:08, Mike Looijmans wrote:
>>>
>>> Met vriendelijke groet / kind regards,
>>>
>>> Mike Looijmans
>>> System Expert
>>>
>>>
>>> TOPIC Embedded Products B.V.
>>> Materiaalweg 4, 5681 RJ Best
>>> The Netherlands
>>>
>>> T: +31 (0) 499 33 69 69
>>> E: mike.looijmans@topicproducts.com
>>> W: www.topic.nl
>>>
>>> Please consider the environment before printing this e-mail
>>> On 25-04-2022 14:51, Richard Purdie wrote:
>>>> On Mon, 2022-04-25 at 09:40 +0200, Mike Looijmans wrote:
>>>>> Recently GIT got updated with a security fix:
>>>>>
>>>>> https://github.blog/2022-04-12-git-security-vulnerability-announced/
>>>>>
>>>>>
>>>>> The problem is that this causes all "git" tasks that run within pseudo
>>>>> (most noticably, image recipes) to fail. In many repositories, we use:
>>>>> git rev-parse --verify HEAD > /etc/revision
>>>>>
>>>>> Or something similar to that. After the GIT update, this now fails with
>>>>> an error like:
>>>>>
>>>>> '''
>>>>> fatal: unsafe repository ('/home/mike/repository/path' is owned by
>>>>> someone else)
>>>>> To add an exception for this directory, call:
>>>>>
>>>>>        git config --global --add safe.directory
>>>>> /home/mike/repository/path
>>>>> '''
>>>>>
>>>>> Apart from doing as it says, or even "git config --global --add
>>>>> safe.directory '*'" anyone have a better idea, especially one that
>>>>> prevents the system thinking I'm someone else (root in the case of
>>>>> pseudo).
>>>> https://git.yoctoproject.org/poky/commit/?id=21559199516a31c7635c5f2d874eaa4a92fff0e5
>>>>
>>>>
>>>> However this isn't quite enough as some things encode the path to git
>>>> into build
>>>> files so the PATH change at do_install isn't enough. igt-gpu-tools via
>>>> meson in
>>>> OE-Core is an example.
>>>>
>>>> Cheers,
>>>>
>>>> Richard
>>>>
>>> Nice, also for general usefulness.
>>>
>>>
>>> For our particular case, I came up with this (works in old OE versions
>>> as well), just inserting a task since both do_image and do_rootfs run
>>> under fakeroot:
>>>
>>>    # We require access to the git repository here, so we must run outside
>>> fakeroot
>>> do_swumetadata() {
>>>      # Hardware revision for SWUpdate
>>>      echo "${SWU_BOARD_HWREVISION}" >
>>> ${IMAGE_ROOTFS}${sysconfdir}/hwrevision
>>>      v=`git rev-parse --verify HEAD`
>>>      echo $v > ${IMAGE_ROOTFS}${sysconfdir}/swrevision
>>>      echo $v > ${DEPLOY_DIR_IMAGE}/${IMAGE_BASENAME}.swrevision
>>> }
>>> addtask do_swumetadata before do_image after do_rootfs
>>>
>>
>> It looks like we have several breakages. I found yesterday that
>> buildinfo (image-buildinfo) does not work anymore.
>>
>> meta-filesystems  = <unknown>:<unknown>
>>
>> meta-networking   = <unknown>:<unknown>
>>
>> meta-oe           = <unknown>:<unknown>
>>
>> meta-perl         = <unknown>:<unknown>
>>
>> meta-python       = <unknown>:<unknown>
>>
>> meta-swupdate     = <unknown>:<unknown>
>>
>> meta              = <unknown>:<unknown>
>>
>> meta-poky         = <unknown>:<unknown>
>>
>> meta-yocto-bsp    = <unknown>:<unknown>
>>
>>
>>
>> And the reason is exactly this security update to git, and
>> base_get_metadata_git_revision / base_get_metadata_git_branch do not
>> work anymore (in this context, of course). So should we create
>> /etc/build in a task before do_rootfs ?
>>
>> Bad is also that this affects older versions (dunfell for example),
>> because it depends on an external package (git) to OE.
> 
> 
> https://git.yoctoproject.org/poky/commit/?id=5bca57859b280f73b23247aac7dec6b05f48fde8
> 

Ok, understood, thanks !

> is now the preferred fix and we will likely be backporting this to kirkstone,
> honister and dunfell.

Thanks !

Stefano

> 
> Cheers,
> 
> Richard
> 
> 
> 
> 
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#164911): https://lists.openembedded.org/g/openembedded-core/message/164911
> Mute This Topic: https://lists.openembedded.org/mt/90680045/3618551
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [sbabic@denx.de]
> -=-=-=-=-=-=-=-=-=-=-=-
> 


-- 
=====================================================================
DENX Software Engineering GmbH,      Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
Phone: +49-8142-66989-53 Fax: +49-8142-66989-80 Email: sbabic@denx.de
=====================================================================


      parent reply	other threads:[~2022-04-27 10:48 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <1b153bce-a66a-45ee-a5c6-963ea6fb1c82.949ef384-8293-46b8-903f-40a477c056ae.6812ddf4-d065-4e4e-ad42-c48d1bca155d@emailsignatures365.codetwo.com>
     [not found] ` <1b153bce-a66a-45ee-a5c6-963ea6fb1c82.0d2bd5fa-15cc-4b27-b94e-83614f9e5b38.65eda1d8-3d07-4fbe-a1d1-669c533cd0a5@emailsignatures365.codetwo.com>
2022-04-25  7:40   ` Git and pseudo Mike Looijmans
2022-04-25 12:51     ` [OE-core] " Richard Purdie
2022-04-26  9:08       ` Mike Looijmans
2022-04-27  6:47         ` Stefano Babic
2022-04-27 10:22           ` Richard Purdie
2022-04-27 10:37             ` Jose Quaresma
2022-04-27 10:56               ` Richard Purdie
2022-04-28  8:24                 ` Jose Quaresma
2022-04-27 10:48             ` Stefano Babic [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=9fd491f6-b410-805a-1375-a7a137c8fe68@denx.de \
    --to=sbabic@denx.de \
    --cc=mike.looijmans@topic.nl \
    --cc=openembedded-core@lists.openembedded.org \
    --cc=richard.purdie@linuxfoundation.org \
    --cc=steve@sakoman.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.