* [dunfell][meta-oe][PATCH 0/2] thrift upgrade
@ 2021-08-10 13:55 Andrej Valek
2021-08-10 13:55 ` [dunfell][meta-oe][PATCH 1/2] thrift: drop unsupported features Andrej Valek
2021-08-10 14:48 ` [oe] [dunfell][meta-oe][PATCH 0/2] thrift upgrade Armin Kuster
0 siblings, 2 replies; 4+ messages in thread
From: Andrej Valek @ 2021-08-10 13:55 UTC (permalink / raw)
To: openembedded-devel; +Cc: sakoman, Andrej Valek
Upgrade thrift to version 0.14.2 due to remote security
vulnerability.
Andrej Valek (2):
thrift: drop unsupported features
thrift: upgrade to 0.14.2
...llationPaths.cmake-Define-libdir-in-terms.patch | 8 +++----
.../thrift/{thrift_0.13.0.bb => thrift_0.14.2.bb} | 26 ++++++++++------------
2 files changed, 16 insertions(+), 18 deletions(-)
rename meta-oe/recipes-connectivity/thrift/{thrift_0.13.0.bb => thrift_0.14.2.bb} (72%)
--
2.11.0
^ permalink raw reply [flat|nested] 4+ messages in thread
* [dunfell][meta-oe][PATCH 1/2] thrift: drop unsupported features
2021-08-10 13:55 [dunfell][meta-oe][PATCH 0/2] thrift upgrade Andrej Valek
@ 2021-08-10 13:55 ` Andrej Valek
2021-08-10 14:48 ` [oe] [dunfell][meta-oe][PATCH 0/2] thrift upgrade Armin Kuster
1 sibling, 0 replies; 4+ messages in thread
From: Andrej Valek @ 2021-08-10 13:55 UTC (permalink / raw)
To: openembedded-devel; +Cc: sakoman, Andrej Valek
- QT4 support was dropped
- Feature for switching between boost and std pointer was dropped
- only std pointers are supported since version 0.13.0
Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
---
meta-oe/recipes-connectivity/thrift/thrift_0.13.0.bb | 6 +-----
1 file changed, 1 insertion(+), 5 deletions(-)
diff --git a/meta-oe/recipes-connectivity/thrift/thrift_0.13.0.bb b/meta-oe/recipes-connectivity/thrift/thrift_0.13.0.bb
index 92bcb21bf..e3880b357 100644
--- a/meta-oe/recipes-connectivity/thrift/thrift_0.13.0.bb
+++ b/meta-oe/recipes-connectivity/thrift/thrift_0.13.0.bb
@@ -24,7 +24,6 @@ export BUILD_SYS
export HOST_SYS
EXTRA_OECMAKE = " \
- -DENABLE_PRECOMPILED_HEADERS=OFF \
-DBUILD_LIBRARIES=ON \
-DBUILD_COMPILER=ON \
-DBUILD_TESTING=OFF \
@@ -36,15 +35,12 @@ EXTRA_OECMAKE = " \
-DWITH_STATIC_LIB=ON \
-DWITH_SHARED_LIB=ON \
-DWITH_OPENSSL=ON \
- -DWITH_QT4=OFF \
-DWITH_QT5=OFF \
- -DWITH_BOOST_FUNCTIONAL=OFF \
"
-PACKAGECONFIG ??= "libevent glib boost-smart-ptr"
+PACKAGECONFIG ??= "libevent glib"
PACKAGECONFIG[libevent] = "-DWITH_LIBEVENT=ON,-DWITH_LIBEVENT=OFF,libevent"
PACKAGECONFIG[glib] = "-DWITH_C_GLIB=ON,-DWITH_C_GLIB=OFF,glib-2.0"
-PACKAGECONFIG[boost-smart-ptr] = "-DWITH_BOOST_SMART_PTR=ON,-DWITH_BOOST_SMART_PTR=OFF,boost"
do_install_append () {
ln -sf thrift ${D}/${bindir}/thrift-compiler
--
2.11.0
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [oe] [dunfell][meta-oe][PATCH 0/2] thrift upgrade
2021-08-10 13:55 [dunfell][meta-oe][PATCH 0/2] thrift upgrade Andrej Valek
2021-08-10 13:55 ` [dunfell][meta-oe][PATCH 1/2] thrift: drop unsupported features Andrej Valek
@ 2021-08-10 14:48 ` Armin Kuster
2021-08-10 16:59 ` Andrej Valek
1 sibling, 1 reply; 4+ messages in thread
From: Armin Kuster @ 2021-08-10 14:48 UTC (permalink / raw)
To: Andrej Valek, openembedded-devel; +Cc: sakoman
On 8/10/21 6:55 AM, Andrej Valek wrote:
> Upgrade thrift to version 0.14.2 due to remote security
> vulnerability.
No specific security issues are mentioned in the other patches. This is
a big jump and from what I can decode from their release notes. They
deprecate many things between these two versions.
Unless I can be convinced otherwise, this update is deemed outside the
acceptable norms for a stable release.
I think backport the specific security issues may be more appropriate.
thanks,
Armin
> Andrej Valek (2):
> thrift: drop unsupported features
> thrift: upgrade to 0.14.2
>
> ...llationPaths.cmake-Define-libdir-in-terms.patch | 8 +++----
> .../thrift/{thrift_0.13.0.bb => thrift_0.14.2.bb} | 26 ++++++++++------------
> 2 files changed, 16 insertions(+), 18 deletions(-)
> rename meta-oe/recipes-connectivity/thrift/{thrift_0.13.0.bb => thrift_0.14.2.bb} (72%)
>
>
>
>
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [oe] [dunfell][meta-oe][PATCH 0/2] thrift upgrade
2021-08-10 14:48 ` [oe] [dunfell][meta-oe][PATCH 0/2] thrift upgrade Armin Kuster
@ 2021-08-10 16:59 ` Andrej Valek
0 siblings, 0 replies; 4+ messages in thread
From: Andrej Valek @ 2021-08-10 16:59 UTC (permalink / raw)
To: akuster808, openembedded-devel; +Cc: sakoman
[-- Attachment #1: Type: text/plain, Size: 1177 bytes --]
Hello Armin,
Take a look at the CVE-2020-13949 (https://issues.apache.org/jira/browse/THRIFT-5237). Backporting just those patches is probably no go, that's reason why I chose the upgrade option.
Regards,
Andrej
> On 8/10/21 6:55 AM, Andrej Valek wrote:
>> Upgrade thrift to version 0.14.2 due to remote security
>> vulnerability.
> No specific security issues are mentioned in the other patches. This is a big jump and from what I can decode from their release notes. They deprecate many things between these two versions.
>
> Unless I can be convinced otherwise, this update is deemed outside the acceptable norms for a stable release.
>
> I think backport the specific security issues may be more appropriate.
>
> thanks,
> Armin
>
>> Andrej Valek (2):
>> thrift: drop unsupported features
>> thrift: upgrade to 0.14.2
>>
>> ...llationPaths.cmake-Define-libdir-in-terms.patch | 8 +++----
>> .../thrift/{thrift_0.13.0.bb => thrift_0.14.2.bb} | 26 ++++++++++------------
>> 2 files changed, 16 insertions(+), 18 deletions(-)
>> rename meta-oe/recipes-connectivity/thrift/{thrift_0.13.0.bb => thrift_0.14.2.bb} (72%)
>>
>>
>>
>>
[-- Attachment #2: Type: text/html, Size: 3176 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2021-08-10 16:59 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-08-10 13:55 [dunfell][meta-oe][PATCH 0/2] thrift upgrade Andrej Valek
2021-08-10 13:55 ` [dunfell][meta-oe][PATCH 1/2] thrift: drop unsupported features Andrej Valek
2021-08-10 14:48 ` [oe] [dunfell][meta-oe][PATCH 0/2] thrift upgrade Armin Kuster
2021-08-10 16:59 ` Andrej Valek
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.