Hi,

Richard Purdie <richard.purdie@linuxfoundation.org> escreveu no dia quarta,
27/04/2022 à(s) 11:22:

> On Wed, 2022-04-27 at 08:47 +0200, Stefano Babic wrote:
> > Hi Mike, Richard,
> >
> > On 26.04.22 11:08, Mike Looijmans wrote:
> > >
> > > Met vriendelijke groet / kind regards,
> > >
> > > Mike Looijmans
> > > System Expert
> > >
> > >
> > > TOPIC Embedded Products B.V.
> > > Materiaalweg 4, 5681 RJ Best
> > > The Netherlands
> > >
> > > T: +31 (0) 499 33 69 69
> > > E: mike.looijmans@topicproducts.com
> > > W: www.topic.nl
> > >
> > > Please consider the environment before printing this e-mail
> > > On 25-04-2022 14:51, Richard Purdie wrote:
> > > > On Mon, 2022-04-25 at 09:40 +0200, Mike Looijmans wrote:
> > > > > Recently GIT got updated with a security fix:
> > > > >
> > > > >
> https://github.blog/2022-04-12-git-security-vulnerability-announced/
> > > > >
> > > > >
> > > > > The problem is that this causes all "git" tasks that run within
> pseudo
> > > > > (most noticably, image recipes) to fail. In many repositories, we
> use:
> > > > > git rev-parse --verify HEAD > /etc/revision
> > > > >
> > > > > Or something similar to that. After the GIT update, this now fails
> with
> > > > > an error like:
> > > > >
> > > > > '''
> > > > > fatal: unsafe repository ('/home/mike/repository/path' is owned by
> > > > > someone else)
> > > > > To add an exception for this directory, call:
> > > > >
> > > > >       git config --global --add safe.directory
> > > > > /home/mike/repository/path
> > > > > '''
> > > > >
> > > > > Apart from doing as it says, or even "git config --global --add
> > > > > safe.directory '*'" anyone have a better idea, especially one that
> > > > > prevents the system thinking I'm someone else (root in the case of
> > > > > pseudo).
> > > >
> https://git.yoctoproject.org/poky/commit/?id=21559199516a31c7635c5f2d874eaa4a92fff0e5
> > > >
> > > >
> > > > However this isn't quite enough as some things encode the path to
> git
> > > > into build
> > > > files so the PATH change at do_install isn't enough. igt-gpu-tools
> via
> > > > meson in
> > > > OE-Core is an example.
> > > >
> > > > Cheers,
> > > >
> > > > Richard
> > > >
> > > Nice, also for general usefulness.
> > >
> > >
> > > For our particular case, I came up with this (works in old OE versions
> > > as well), just inserting a task since both do_image and do_rootfs run
> > > under fakeroot:
> > >
> > >   # We require access to the git repository here, so we must run
> outside
> > > fakeroot
> > > do_swumetadata() {
> > >     # Hardware revision for SWUpdate
> > >     echo "${SWU_BOARD_HWREVISION}" >
> > > ${IMAGE_ROOTFS}${sysconfdir}/hwrevision
> > >     v=`git rev-parse --verify HEAD`
> > >     echo $v > ${IMAGE_ROOTFS}${sysconfdir}/swrevision
> > >     echo $v > ${DEPLOY_DIR_IMAGE}/${IMAGE_BASENAME}.swrevision
> > > }
> > > addtask do_swumetadata before do_image after do_rootfs
> > >
> >
> > It looks like we have several breakages. I found yesterday that
> > buildinfo (image-buildinfo) does not work anymore.
> >
> > meta-filesystems  = <unknown>:<unknown>
> >
> > meta-networking   = <unknown>:<unknown>
> >
> > meta-oe           = <unknown>:<unknown>
> >
> > meta-perl         = <unknown>:<unknown>
> >
> > meta-python       = <unknown>:<unknown>
> >
> > meta-swupdate     = <unknown>:<unknown>
> >
> > meta              = <unknown>:<unknown>
> >
> > meta-poky         = <unknown>:<unknown>
> >
> > meta-yocto-bsp    = <unknown>:<unknown>
> >
> >
> >
> > And the reason is exactly this security update to git, and
> > base_get_metadata_git_revision / base_get_metadata_git_branch do not
> > work anymore (in this context, of course). So should we create
> > /etc/build in a task before do_rootfs ?
> >
> > Bad is also that this affects older versions (dunfell for example),
> > because it depends on an external package (git) to OE.
>
>
>
> https://git.yoctoproject.org/poky/commit/?id=5bca57859b280f73b23247aac7dec6b05f48fde8


The change that introduces the intercept script [1] Is partially reversed
with [2]
With this approach using the environment we don't need the intercept script
anymore or I am missing something?

[1]
https://git.yoctoproject.org/poky/commit/?id=21559199516a31c7635c5f2d874eaa4a92fff0e5
[2]
https://git.yoctoproject.org/poky/commit/?id=5546a868b52400ed1487b2ac7149f3a9e7293bd2

Jose


>
> is now the preferred fix and we will likely be backporting this to
> kirkstone,
> honister and dunfell.
>
> Cheers,
>
> Richard
>
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#164911):
> https://lists.openembedded.org/g/openembedded-core/message/164911
> Mute This Topic: https://lists.openembedded.org/mt/90680045/5052612
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [
> quaresma.jose@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
>

-- 
Best regards,

José Quaresma