* Git and pseudo [not found] ` <1b153bce-a66a-45ee-a5c6-963ea6fb1c82.0d2bd5fa-15cc-4b27-b94e-83614f9e5b38.65eda1d8-3d07-4fbe-a1d1-669c533cd0a5@emailsignatures365.codetwo.com> @ 2022-04-25 7:40 ` Mike Looijmans 2022-04-25 12:51 ` [OE-core] " Richard Purdie 0 siblings, 1 reply; 9+ messages in thread From: Mike Looijmans @ 2022-04-25 7:40 UTC (permalink / raw) To: openembedded-core Recently GIT got updated with a security fix: https://github.blog/2022-04-12-git-security-vulnerability-announced/ The problem is that this causes all "git" tasks that run within pseudo (most noticably, image recipes) to fail. In many repositories, we use: git rev-parse --verify HEAD > /etc/revision Or something similar to that. After the GIT update, this now fails with an error like: ''' fatal: unsafe repository ('/home/mike/repository/path' is owned by someone else) To add an exception for this directory, call: git config --global --add safe.directory /home/mike/repository/path ''' Apart from doing as it says, or even "git config --global --add safe.directory '*'" anyone have a better idea, especially one that prevents the system thinking I'm someone else (root in the case of pseudo). -- Mike Looijmans Met vriendelijke groet / kind regards, Mike Looijmans System Expert TOPIC Embedded Products B.V. Materiaalweg 4, 5681 RJ Best The Netherlands T: +31 (0) 499 33 69 69 E: mike.looijmans@topicproducts.com W: www.topic.nl Please consider the environment before printing this e-mail ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [OE-core] Git and pseudo 2022-04-25 7:40 ` Git and pseudo Mike Looijmans @ 2022-04-25 12:51 ` Richard Purdie 2022-04-26 9:08 ` Mike Looijmans 0 siblings, 1 reply; 9+ messages in thread From: Richard Purdie @ 2022-04-25 12:51 UTC (permalink / raw) To: Mike Looijmans, openembedded-core On Mon, 2022-04-25 at 09:40 +0200, Mike Looijmans wrote: > Recently GIT got updated with a security fix: > > https://github.blog/2022-04-12-git-security-vulnerability-announced/ > > > The problem is that this causes all "git" tasks that run within pseudo > (most noticably, image recipes) to fail. In many repositories, we use: > git rev-parse --verify HEAD > /etc/revision > > Or something similar to that. After the GIT update, this now fails with > an error like: > > ''' > fatal: unsafe repository ('/home/mike/repository/path' is owned by > someone else) > To add an exception for this directory, call: > > git config --global --add safe.directory /home/mike/repository/path > ''' > > Apart from doing as it says, or even "git config --global --add > safe.directory '*'" anyone have a better idea, especially one that > prevents the system thinking I'm someone else (root in the case of pseudo). https://git.yoctoproject.org/poky/commit/?id=21559199516a31c7635c5f2d874eaa4a92fff0e5 However this isn't quite enough as some things encode the path to git into build files so the PATH change at do_install isn't enough. igt-gpu-tools via meson in OE-Core is an example. Cheers, Richard ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [OE-core] Git and pseudo 2022-04-25 12:51 ` [OE-core] " Richard Purdie @ 2022-04-26 9:08 ` Mike Looijmans 2022-04-27 6:47 ` Stefano Babic 0 siblings, 1 reply; 9+ messages in thread From: Mike Looijmans @ 2022-04-26 9:08 UTC (permalink / raw) To: Richard Purdie, openembedded-core Met vriendelijke groet / kind regards, Mike Looijmans System Expert TOPIC Embedded Products B.V. Materiaalweg 4, 5681 RJ Best The Netherlands T: +31 (0) 499 33 69 69 E: mike.looijmans@topicproducts.com W: www.topic.nl Please consider the environment before printing this e-mail On 25-04-2022 14:51, Richard Purdie wrote: > On Mon, 2022-04-25 at 09:40 +0200, Mike Looijmans wrote: >> Recently GIT got updated with a security fix: >> >> https://github.blog/2022-04-12-git-security-vulnerability-announced/ >> >> >> The problem is that this causes all "git" tasks that run within pseudo >> (most noticably, image recipes) to fail. In many repositories, we use: >> git rev-parse --verify HEAD > /etc/revision >> >> Or something similar to that. After the GIT update, this now fails with >> an error like: >> >> ''' >> fatal: unsafe repository ('/home/mike/repository/path' is owned by >> someone else) >> To add an exception for this directory, call: >> >> git config --global --add safe.directory /home/mike/repository/path >> ''' >> >> Apart from doing as it says, or even "git config --global --add >> safe.directory '*'" anyone have a better idea, especially one that >> prevents the system thinking I'm someone else (root in the case of pseudo). > https://git.yoctoproject.org/poky/commit/?id=21559199516a31c7635c5f2d874eaa4a92fff0e5 > > However this isn't quite enough as some things encode the path to git into build > files so the PATH change at do_install isn't enough. igt-gpu-tools via meson in > OE-Core is an example. > > Cheers, > > Richard > Nice, also for general usefulness. For our particular case, I came up with this (works in old OE versions as well), just inserting a task since both do_image and do_rootfs run under fakeroot: # We require access to the git repository here, so we must run outside fakeroot do_swumetadata() { # Hardware revision for SWUpdate echo "${SWU_BOARD_HWREVISION}" > ${IMAGE_ROOTFS}${sysconfdir}/hwrevision v=`git rev-parse --verify HEAD` echo $v > ${IMAGE_ROOTFS}${sysconfdir}/swrevision echo $v > ${DEPLOY_DIR_IMAGE}/${IMAGE_BASENAME}.swrevision } addtask do_swumetadata before do_image after do_rootfs -- Mike Looijmans ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [OE-core] Git and pseudo 2022-04-26 9:08 ` Mike Looijmans @ 2022-04-27 6:47 ` Stefano Babic 2022-04-27 10:22 ` Richard Purdie 0 siblings, 1 reply; 9+ messages in thread From: Stefano Babic @ 2022-04-27 6:47 UTC (permalink / raw) To: Mike Looijmans, Richard Purdie, openembedded-core Hi Mike, Richard, On 26.04.22 11:08, Mike Looijmans wrote: > > Met vriendelijke groet / kind regards, > > Mike Looijmans > System Expert > > > TOPIC Embedded Products B.V. > Materiaalweg 4, 5681 RJ Best > The Netherlands > > T: +31 (0) 499 33 69 69 > E: mike.looijmans@topicproducts.com > W: www.topic.nl > > Please consider the environment before printing this e-mail > On 25-04-2022 14:51, Richard Purdie wrote: >> On Mon, 2022-04-25 at 09:40 +0200, Mike Looijmans wrote: >>> Recently GIT got updated with a security fix: >>> >>> https://github.blog/2022-04-12-git-security-vulnerability-announced/ >>> >>> >>> The problem is that this causes all "git" tasks that run within pseudo >>> (most noticably, image recipes) to fail. In many repositories, we use: >>> git rev-parse --verify HEAD > /etc/revision >>> >>> Or something similar to that. After the GIT update, this now fails with >>> an error like: >>> >>> ''' >>> fatal: unsafe repository ('/home/mike/repository/path' is owned by >>> someone else) >>> To add an exception for this directory, call: >>> >>> git config --global --add safe.directory >>> /home/mike/repository/path >>> ''' >>> >>> Apart from doing as it says, or even "git config --global --add >>> safe.directory '*'" anyone have a better idea, especially one that >>> prevents the system thinking I'm someone else (root in the case of >>> pseudo). >> https://git.yoctoproject.org/poky/commit/?id=21559199516a31c7635c5f2d874eaa4a92fff0e5 >> >> >> However this isn't quite enough as some things encode the path to git >> into build >> files so the PATH change at do_install isn't enough. igt-gpu-tools via >> meson in >> OE-Core is an example. >> >> Cheers, >> >> Richard >> > Nice, also for general usefulness. > > > For our particular case, I came up with this (works in old OE versions > as well), just inserting a task since both do_image and do_rootfs run > under fakeroot: > > # We require access to the git repository here, so we must run outside > fakeroot > do_swumetadata() { > # Hardware revision for SWUpdate > echo "${SWU_BOARD_HWREVISION}" > > ${IMAGE_ROOTFS}${sysconfdir}/hwrevision > v=`git rev-parse --verify HEAD` > echo $v > ${IMAGE_ROOTFS}${sysconfdir}/swrevision > echo $v > ${DEPLOY_DIR_IMAGE}/${IMAGE_BASENAME}.swrevision > } > addtask do_swumetadata before do_image after do_rootfs > It looks like we have several breakages. I found yesterday that buildinfo (image-buildinfo) does not work anymore. meta-filesystems = <unknown>:<unknown> meta-networking = <unknown>:<unknown> meta-oe = <unknown>:<unknown> meta-perl = <unknown>:<unknown> meta-python = <unknown>:<unknown> meta-swupdate = <unknown>:<unknown> meta = <unknown>:<unknown> meta-poky = <unknown>:<unknown> meta-yocto-bsp = <unknown>:<unknown> And the reason is exactly this security update to git, and base_get_metadata_git_revision / base_get_metadata_git_branch do not work anymore (in this context, of course). So should we create /etc/build in a task before do_rootfs ? Bad is also that this affects older versions (dunfell for example), because it depends on an external package (git) to OE. Best regards, Stefano -- ===================================================================== DENX Software Engineering GmbH, Managing Director: Wolfgang Denk HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany Phone: +49-8142-66989-53 Fax: +49-8142-66989-80 Email: sbabic@denx.de ===================================================================== ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [OE-core] Git and pseudo 2022-04-27 6:47 ` Stefano Babic @ 2022-04-27 10:22 ` Richard Purdie 2022-04-27 10:37 ` Jose Quaresma 2022-04-27 10:48 ` Stefano Babic 0 siblings, 2 replies; 9+ messages in thread From: Richard Purdie @ 2022-04-27 10:22 UTC (permalink / raw) To: Stefano Babic, Mike Looijmans, openembedded-core; +Cc: Steve Sakoman On Wed, 2022-04-27 at 08:47 +0200, Stefano Babic wrote: > Hi Mike, Richard, > > On 26.04.22 11:08, Mike Looijmans wrote: > > > > Met vriendelijke groet / kind regards, > > > > Mike Looijmans > > System Expert > > > > > > TOPIC Embedded Products B.V. > > Materiaalweg 4, 5681 RJ Best > > The Netherlands > > > > T: +31 (0) 499 33 69 69 > > E: mike.looijmans@topicproducts.com > > W: www.topic.nl > > > > Please consider the environment before printing this e-mail > > On 25-04-2022 14:51, Richard Purdie wrote: > > > On Mon, 2022-04-25 at 09:40 +0200, Mike Looijmans wrote: > > > > Recently GIT got updated with a security fix: > > > > > > > > https://github.blog/2022-04-12-git-security-vulnerability-announced/ > > > > > > > > > > > > The problem is that this causes all "git" tasks that run within pseudo > > > > (most noticably, image recipes) to fail. In many repositories, we use: > > > > git rev-parse --verify HEAD > /etc/revision > > > > > > > > Or something similar to that. After the GIT update, this now fails with > > > > an error like: > > > > > > > > ''' > > > > fatal: unsafe repository ('/home/mike/repository/path' is owned by > > > > someone else) > > > > To add an exception for this directory, call: > > > > > > > > git config --global --add safe.directory > > > > /home/mike/repository/path > > > > ''' > > > > > > > > Apart from doing as it says, or even "git config --global --add > > > > safe.directory '*'" anyone have a better idea, especially one that > > > > prevents the system thinking I'm someone else (root in the case of > > > > pseudo). > > > https://git.yoctoproject.org/poky/commit/?id=21559199516a31c7635c5f2d874eaa4a92fff0e5 > > > > > > > > > However this isn't quite enough as some things encode the path to git > > > into build > > > files so the PATH change at do_install isn't enough. igt-gpu-tools via > > > meson in > > > OE-Core is an example. > > > > > > Cheers, > > > > > > Richard > > > > > Nice, also for general usefulness. > > > > > > For our particular case, I came up with this (works in old OE versions > > as well), just inserting a task since both do_image and do_rootfs run > > under fakeroot: > > > > # We require access to the git repository here, so we must run outside > > fakeroot > > do_swumetadata() { > > # Hardware revision for SWUpdate > > echo "${SWU_BOARD_HWREVISION}" > > > ${IMAGE_ROOTFS}${sysconfdir}/hwrevision > > v=`git rev-parse --verify HEAD` > > echo $v > ${IMAGE_ROOTFS}${sysconfdir}/swrevision > > echo $v > ${DEPLOY_DIR_IMAGE}/${IMAGE_BASENAME}.swrevision > > } > > addtask do_swumetadata before do_image after do_rootfs > > > > It looks like we have several breakages. I found yesterday that > buildinfo (image-buildinfo) does not work anymore. > > meta-filesystems = <unknown>:<unknown> > > meta-networking = <unknown>:<unknown> > > meta-oe = <unknown>:<unknown> > > meta-perl = <unknown>:<unknown> > > meta-python = <unknown>:<unknown> > > meta-swupdate = <unknown>:<unknown> > > meta = <unknown>:<unknown> > > meta-poky = <unknown>:<unknown> > > meta-yocto-bsp = <unknown>:<unknown> > > > > And the reason is exactly this security update to git, and > base_get_metadata_git_revision / base_get_metadata_git_branch do not > work anymore (in this context, of course). So should we create > /etc/build in a task before do_rootfs ? > > Bad is also that this affects older versions (dunfell for example), > because it depends on an external package (git) to OE. https://git.yoctoproject.org/poky/commit/?id=5bca57859b280f73b23247aac7dec6b05f48fde8 is now the preferred fix and we will likely be backporting this to kirkstone, honister and dunfell. Cheers, Richard ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [OE-core] Git and pseudo 2022-04-27 10:22 ` Richard Purdie @ 2022-04-27 10:37 ` Jose Quaresma 2022-04-27 10:56 ` Richard Purdie 2022-04-27 10:48 ` Stefano Babic 1 sibling, 1 reply; 9+ messages in thread From: Jose Quaresma @ 2022-04-27 10:37 UTC (permalink / raw) To: Richard Purdie; +Cc: Stefano Babic, Mike Looijmans, OE-core, Steve Sakoman [-- Attachment #1: Type: text/plain, Size: 5130 bytes --] Hi, Richard Purdie <richard.purdie@linuxfoundation.org> escreveu no dia quarta, 27/04/2022 à(s) 11:22: > On Wed, 2022-04-27 at 08:47 +0200, Stefano Babic wrote: > > Hi Mike, Richard, > > > > On 26.04.22 11:08, Mike Looijmans wrote: > > > > > > Met vriendelijke groet / kind regards, > > > > > > Mike Looijmans > > > System Expert > > > > > > > > > TOPIC Embedded Products B.V. > > > Materiaalweg 4, 5681 RJ Best > > > The Netherlands > > > > > > T: +31 (0) 499 33 69 69 > > > E: mike.looijmans@topicproducts.com > > > W: www.topic.nl > > > > > > Please consider the environment before printing this e-mail > > > On 25-04-2022 14:51, Richard Purdie wrote: > > > > On Mon, 2022-04-25 at 09:40 +0200, Mike Looijmans wrote: > > > > > Recently GIT got updated with a security fix: > > > > > > > > > > > https://github.blog/2022-04-12-git-security-vulnerability-announced/ > > > > > > > > > > > > > > > The problem is that this causes all "git" tasks that run within > pseudo > > > > > (most noticably, image recipes) to fail. In many repositories, we > use: > > > > > git rev-parse --verify HEAD > /etc/revision > > > > > > > > > > Or something similar to that. After the GIT update, this now fails > with > > > > > an error like: > > > > > > > > > > ''' > > > > > fatal: unsafe repository ('/home/mike/repository/path' is owned by > > > > > someone else) > > > > > To add an exception for this directory, call: > > > > > > > > > > git config --global --add safe.directory > > > > > /home/mike/repository/path > > > > > ''' > > > > > > > > > > Apart from doing as it says, or even "git config --global --add > > > > > safe.directory '*'" anyone have a better idea, especially one that > > > > > prevents the system thinking I'm someone else (root in the case of > > > > > pseudo). > > > > > https://git.yoctoproject.org/poky/commit/?id=21559199516a31c7635c5f2d874eaa4a92fff0e5 > > > > > > > > > > > > However this isn't quite enough as some things encode the path to > git > > > > into build > > > > files so the PATH change at do_install isn't enough. igt-gpu-tools > via > > > > meson in > > > > OE-Core is an example. > > > > > > > > Cheers, > > > > > > > > Richard > > > > > > > Nice, also for general usefulness. > > > > > > > > > For our particular case, I came up with this (works in old OE versions > > > as well), just inserting a task since both do_image and do_rootfs run > > > under fakeroot: > > > > > > # We require access to the git repository here, so we must run > outside > > > fakeroot > > > do_swumetadata() { > > > # Hardware revision for SWUpdate > > > echo "${SWU_BOARD_HWREVISION}" > > > > ${IMAGE_ROOTFS}${sysconfdir}/hwrevision > > > v=`git rev-parse --verify HEAD` > > > echo $v > ${IMAGE_ROOTFS}${sysconfdir}/swrevision > > > echo $v > ${DEPLOY_DIR_IMAGE}/${IMAGE_BASENAME}.swrevision > > > } > > > addtask do_swumetadata before do_image after do_rootfs > > > > > > > It looks like we have several breakages. I found yesterday that > > buildinfo (image-buildinfo) does not work anymore. > > > > meta-filesystems = <unknown>:<unknown> > > > > meta-networking = <unknown>:<unknown> > > > > meta-oe = <unknown>:<unknown> > > > > meta-perl = <unknown>:<unknown> > > > > meta-python = <unknown>:<unknown> > > > > meta-swupdate = <unknown>:<unknown> > > > > meta = <unknown>:<unknown> > > > > meta-poky = <unknown>:<unknown> > > > > meta-yocto-bsp = <unknown>:<unknown> > > > > > > > > And the reason is exactly this security update to git, and > > base_get_metadata_git_revision / base_get_metadata_git_branch do not > > work anymore (in this context, of course). So should we create > > /etc/build in a task before do_rootfs ? > > > > Bad is also that this affects older versions (dunfell for example), > > because it depends on an external package (git) to OE. > > > > https://git.yoctoproject.org/poky/commit/?id=5bca57859b280f73b23247aac7dec6b05f48fde8 The change that introduces the intercept script [1] Is partially reversed with [2] With this approach using the environment we don't need the intercept script anymore or I am missing something? [1] https://git.yoctoproject.org/poky/commit/?id=21559199516a31c7635c5f2d874eaa4a92fff0e5 [2] https://git.yoctoproject.org/poky/commit/?id=5546a868b52400ed1487b2ac7149f3a9e7293bd2 Jose > > is now the preferred fix and we will likely be backporting this to > kirkstone, > honister and dunfell. > > Cheers, > > Richard > > > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#164911): > https://lists.openembedded.org/g/openembedded-core/message/164911 > Mute This Topic: https://lists.openembedded.org/mt/90680045/5052612 > Group Owner: openembedded-core+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [ > quaresma.jose@gmail.com] > -=-=-=-=-=-=-=-=-=-=-=- > > -- Best regards, José Quaresma [-- Attachment #2: Type: text/html, Size: 8260 bytes --] ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [OE-core] Git and pseudo 2022-04-27 10:37 ` Jose Quaresma @ 2022-04-27 10:56 ` Richard Purdie 2022-04-28 8:24 ` Jose Quaresma 0 siblings, 1 reply; 9+ messages in thread From: Richard Purdie @ 2022-04-27 10:56 UTC (permalink / raw) To: Jose Quaresma; +Cc: Stefano Babic, Mike Looijmans, OE-core, Steve Sakoman On Wed, 2022-04-27 at 11:37 +0100, Jose Quaresma wrote: > Hi, > > Richard Purdie <richard.purdie@linuxfoundation.org> escreveu no dia quarta, > 27/04/2022 à(s) 11:22: > > On Wed, 2022-04-27 at 08:47 +0200, Stefano Babic wrote: > > > > > > > > https://git.yoctoproject.org/poky/commit/?id=5bca57859b280f73b23247aac7dec6b05f48fde8 > > > > > The change that introduces the intercept script [1] Is partially reversed with > [2] > With this approach using the environment we don't need the intercept script > anymore or I am missing something? > > [1] > https://git.yoctoproject.org/poky/commit/?id=21559199516a31c7635c5f2d874eaa4a92fff0e5 > [2] > https://git.yoctoproject.org/poky/commit/?id=5546a868b52400ed1487b2ac7149f3a9e7293bd2 The devshell experience is better with the intercept as it means things like the user's HOMEDIR is used for their gitconfig for things like user and email when writing commits. I've therefore chosen to leave that in master. We may or may not backport those pieces, I don't have any strong preference. The other commit from Ross solves the major issue we care about build wide outside devshell. Cheers, Richard ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [OE-core] Git and pseudo 2022-04-27 10:56 ` Richard Purdie @ 2022-04-28 8:24 ` Jose Quaresma 0 siblings, 0 replies; 9+ messages in thread From: Jose Quaresma @ 2022-04-28 8:24 UTC (permalink / raw) To: Richard Purdie; +Cc: Stefano Babic, Mike Looijmans, OE-core, Steve Sakoman [-- Attachment #1: Type: text/plain, Size: 1570 bytes --] Hi, Richard Purdie <richard.purdie@linuxfoundation.org> escreveu no dia quarta, 27/04/2022 à(s) 11:56: > On Wed, 2022-04-27 at 11:37 +0100, Jose Quaresma wrote: > > Hi, > > > > Richard Purdie <richard.purdie@linuxfoundation.org> escreveu no dia > quarta, > > 27/04/2022 à(s) 11:22: > > > On Wed, 2022-04-27 at 08:47 +0200, Stefano Babic wrote: > > > > > > > > > > > > > https://git.yoctoproject.org/poky/commit/?id=5bca57859b280f73b23247aac7dec6b05f48fde8 > > > > > > > > > The change that introduces the intercept script [1] Is > partially reversed with > > [2] > > With this approach using the environment we don't need the intercept > script > > anymore or I am missing something? > > > > [1] > > > https://git.yoctoproject.org/poky/commit/?id=21559199516a31c7635c5f2d874eaa4a92fff0e5 > > [2] > > > https://git.yoctoproject.org/poky/commit/?id=5546a868b52400ed1487b2ac7149f3a9e7293bd2 > > The devshell experience is better with the intercept as it means things > like the > user's HOMEDIR is used for their gitconfig for things like user and email > when > writing commits. I've therefore chosen to leave that in master. We may or > may > not backport those pieces, I don't have any strong preference. > I agree that the intercept will improve the devshell user experience and it was this part that was escaping me. Thanks Jose > The other commit from Ross solves the major issue we care about build wide > outside devshell. > > Cheers, > > Richard > > > > -- Best regards, José Quaresma [-- Attachment #2: Type: text/html, Size: 2835 bytes --] ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [OE-core] Git and pseudo 2022-04-27 10:22 ` Richard Purdie 2022-04-27 10:37 ` Jose Quaresma @ 2022-04-27 10:48 ` Stefano Babic 1 sibling, 0 replies; 9+ messages in thread From: Stefano Babic @ 2022-04-27 10:48 UTC (permalink / raw) To: Richard Purdie, Stefano Babic, Mike Looijmans, openembedded-core Cc: Steve Sakoman On 27.04.22 12:22, Richard Purdie wrote: > On Wed, 2022-04-27 at 08:47 +0200, Stefano Babic wrote: >> Hi Mike, Richard, >> >> On 26.04.22 11:08, Mike Looijmans wrote: >>> >>> Met vriendelijke groet / kind regards, >>> >>> Mike Looijmans >>> System Expert >>> >>> >>> TOPIC Embedded Products B.V. >>> Materiaalweg 4, 5681 RJ Best >>> The Netherlands >>> >>> T: +31 (0) 499 33 69 69 >>> E: mike.looijmans@topicproducts.com >>> W: www.topic.nl >>> >>> Please consider the environment before printing this e-mail >>> On 25-04-2022 14:51, Richard Purdie wrote: >>>> On Mon, 2022-04-25 at 09:40 +0200, Mike Looijmans wrote: >>>>> Recently GIT got updated with a security fix: >>>>> >>>>> https://github.blog/2022-04-12-git-security-vulnerability-announced/ >>>>> >>>>> >>>>> The problem is that this causes all "git" tasks that run within pseudo >>>>> (most noticably, image recipes) to fail. In many repositories, we use: >>>>> git rev-parse --verify HEAD > /etc/revision >>>>> >>>>> Or something similar to that. After the GIT update, this now fails with >>>>> an error like: >>>>> >>>>> ''' >>>>> fatal: unsafe repository ('/home/mike/repository/path' is owned by >>>>> someone else) >>>>> To add an exception for this directory, call: >>>>> >>>>> git config --global --add safe.directory >>>>> /home/mike/repository/path >>>>> ''' >>>>> >>>>> Apart from doing as it says, or even "git config --global --add >>>>> safe.directory '*'" anyone have a better idea, especially one that >>>>> prevents the system thinking I'm someone else (root in the case of >>>>> pseudo). >>>> https://git.yoctoproject.org/poky/commit/?id=21559199516a31c7635c5f2d874eaa4a92fff0e5 >>>> >>>> >>>> However this isn't quite enough as some things encode the path to git >>>> into build >>>> files so the PATH change at do_install isn't enough. igt-gpu-tools via >>>> meson in >>>> OE-Core is an example. >>>> >>>> Cheers, >>>> >>>> Richard >>>> >>> Nice, also for general usefulness. >>> >>> >>> For our particular case, I came up with this (works in old OE versions >>> as well), just inserting a task since both do_image and do_rootfs run >>> under fakeroot: >>> >>> # We require access to the git repository here, so we must run outside >>> fakeroot >>> do_swumetadata() { >>> # Hardware revision for SWUpdate >>> echo "${SWU_BOARD_HWREVISION}" > >>> ${IMAGE_ROOTFS}${sysconfdir}/hwrevision >>> v=`git rev-parse --verify HEAD` >>> echo $v > ${IMAGE_ROOTFS}${sysconfdir}/swrevision >>> echo $v > ${DEPLOY_DIR_IMAGE}/${IMAGE_BASENAME}.swrevision >>> } >>> addtask do_swumetadata before do_image after do_rootfs >>> >> >> It looks like we have several breakages. I found yesterday that >> buildinfo (image-buildinfo) does not work anymore. >> >> meta-filesystems = <unknown>:<unknown> >> >> meta-networking = <unknown>:<unknown> >> >> meta-oe = <unknown>:<unknown> >> >> meta-perl = <unknown>:<unknown> >> >> meta-python = <unknown>:<unknown> >> >> meta-swupdate = <unknown>:<unknown> >> >> meta = <unknown>:<unknown> >> >> meta-poky = <unknown>:<unknown> >> >> meta-yocto-bsp = <unknown>:<unknown> >> >> >> >> And the reason is exactly this security update to git, and >> base_get_metadata_git_revision / base_get_metadata_git_branch do not >> work anymore (in this context, of course). So should we create >> /etc/build in a task before do_rootfs ? >> >> Bad is also that this affects older versions (dunfell for example), >> because it depends on an external package (git) to OE. > > > https://git.yoctoproject.org/poky/commit/?id=5bca57859b280f73b23247aac7dec6b05f48fde8 > Ok, understood, thanks ! > is now the preferred fix and we will likely be backporting this to kirkstone, > honister and dunfell. Thanks ! Stefano > > Cheers, > > Richard > > > > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#164911): https://lists.openembedded.org/g/openembedded-core/message/164911 > Mute This Topic: https://lists.openembedded.org/mt/90680045/3618551 > Group Owner: openembedded-core+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [sbabic@denx.de] > -=-=-=-=-=-=-=-=-=-=-=- > -- ===================================================================== DENX Software Engineering GmbH, Managing Director: Wolfgang Denk HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany Phone: +49-8142-66989-53 Fax: +49-8142-66989-80 Email: sbabic@denx.de ===================================================================== ^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2022-04-28 8:24 UTC | newest] Thread overview: 9+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- [not found] <1b153bce-a66a-45ee-a5c6-963ea6fb1c82.949ef384-8293-46b8-903f-40a477c056ae.6812ddf4-d065-4e4e-ad42-c48d1bca155d@emailsignatures365.codetwo.com> [not found] ` <1b153bce-a66a-45ee-a5c6-963ea6fb1c82.0d2bd5fa-15cc-4b27-b94e-83614f9e5b38.65eda1d8-3d07-4fbe-a1d1-669c533cd0a5@emailsignatures365.codetwo.com> 2022-04-25 7:40 ` Git and pseudo Mike Looijmans 2022-04-25 12:51 ` [OE-core] " Richard Purdie 2022-04-26 9:08 ` Mike Looijmans 2022-04-27 6:47 ` Stefano Babic 2022-04-27 10:22 ` Richard Purdie 2022-04-27 10:37 ` Jose Quaresma 2022-04-27 10:56 ` Richard Purdie 2022-04-28 8:24 ` Jose Quaresma 2022-04-27 10:48 ` Stefano Babic
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.