[dunfell][PATCH] u-boot-ti: Use SRCREV to get short commit ID


Devarsh Thakkar
 

Due to recent security update in git, we are
not able to fetch revision currently using existing method:
https://github.blog/2022-04-12-git-security-vulnerability-announced/

So instead, use the SRCREV to parse the short commit ID
and set the UBOOT_LOCALVERSION variable.

Signed-off-by: Devarsh Thakkar <devarsht@...>
---
recipes-bsp/u-boot/u-boot-ti.inc | 10 +---------
1 file changed, 1 insertion(+), 9 deletions(-)

diff --git a/recipes-bsp/u-boot/u-boot-ti.inc b/recipes-bsp/u-boot/u-boot-ti.inc
index 231b7647..cc775e2e 100644
--- a/recipes-bsp/u-boot/u-boot-ti.inc
+++ b/recipes-bsp/u-boot/u-boot-ti.inc
@@ -1,14 +1,6 @@
# UBOOT_LOCALVERSION can be set to add a tag to the end of the
# U-boot version string. such as the commit id
-def get_git_revision(p):
- import subprocess
-
- try:
- return subprocess.Popen("git rev-parse HEAD 2>/dev/null ", cwd=p, shell=True, stdout=subprocess.PIPE, universal_newlines=True).communicate()[0].rstrip()
- except OSError:
- return None
-
-UBOOT_LOCALVERSION = "-g${@get_git_revision('${S}').__str__()[:10]}"
+UBOOT_LOCALVERSION = "-g${@d.getVar("SRCREV", False).__str__()[:10]}"

UBOOT_SUFFIX ?= "img"
SPL_BINARY ?= "MLO"
--
2.17.1


Nishanth Menon
 

On 21:17-20220419, Devarsh Thakkar wrote:
Due to recent security update in git, we are
not able to fetch revision currently using existing method:
https://github.blog/2022-04-12-git-security-vulnerability-announced/

So instead, use the SRCREV to parse the short commit ID
and set the UBOOT_LOCALVERSION variable.

Signed-off-by: Devarsh Thakkar <devarsht@...>
---
recipes-bsp/u-boot/u-boot-ti.inc | 10 +---------
1 file changed, 1 insertion(+), 9 deletions(-)

diff --git a/recipes-bsp/u-boot/u-boot-ti.inc b/recipes-bsp/u-boot/u-boot-ti.inc
index 231b7647..cc775e2e 100644
--- a/recipes-bsp/u-boot/u-boot-ti.inc
+++ b/recipes-bsp/u-boot/u-boot-ti.inc
@@ -1,14 +1,6 @@
# UBOOT_LOCALVERSION can be set to add a tag to the end of the
# U-boot version string. such as the commit id
-def get_git_revision(p):
- import subprocess
-
- try:
- return subprocess.Popen("git rev-parse HEAD 2>/dev/null ", cwd=p, shell=True, stdout=subprocess.PIPE, universal_newlines=True).communicate()[0].rstrip()

I see a similar logic in
recipes-kernel/linux/setup-defconfig.inc as well.

Considering similar problem

https://lore.kernel.org/all/20220413155249.3458236-2-raj.khem@gmail.com/

was wondering as to what might be a better way to solve this?

There is also git rev-parse HEAD instances in oe-core as well and
bitbake(lib/layerindexlib/cooker.py) as well.

I wonder since we know cwd=p, could we use that to set
https://git-scm.com/docs/git/2.35.2#Documentation/git.txt-codeGITCEILINGDIRECTORIEScode
(which if my understanding is right, came in around v1.5.5.1-319-g0454dd93bfb2)

OR maybe just set it to the base conf similar to what was done on
master oe-core/meta/conf/bitbake.conf (commit
02ecf3e2a98a614805f6f2574c2bf14162192d01 "bitbake.conf: Prevent git from
detecting parent repo in recipe")?

I am not sure if we should considering just side stepping this issue via
just not using the git to get the version string.. just my 2 cents.
- except OSError:
- return None
-
-UBOOT_LOCALVERSION = "-g${@get_git_revision('${S}').__str__()[:10]}"
+UBOOT_LOCALVERSION = "-g${@d.getVar("SRCREV", False).__str__()[:10]}"

UBOOT_SUFFIX ?= "img"
SPL_BINARY ?= "MLO"
--
2.17.1
--
Regards,
Nishanth Menon
Key (0xDDB5849D1736249D) / Fingerprint: F8A2 8693 54EB 8232 17A3 1A34 DDB5 849D 1736 249D


Devarsh Thakkar
 

On 20/04/22 05:04, Nishanth Menon wrote:
On 21:17-20220419, Devarsh Thakkar wrote:
Due to recent security update in git, we are
not able to fetch revision currently using existing method:
https://github.blog/2022-04-12-git-security-vulnerability-announced/

So instead, use the SRCREV to parse the short commit ID
and set the UBOOT_LOCALVERSION variable.

Signed-off-by: Devarsh Thakkar <devarsht@...>
---
recipes-bsp/u-boot/u-boot-ti.inc | 10 +---------
1 file changed, 1 insertion(+), 9 deletions(-)

diff --git a/recipes-bsp/u-boot/u-boot-ti.inc b/recipes-bsp/u-boot/u-boot-ti.inc
index 231b7647..cc775e2e 100644
--- a/recipes-bsp/u-boot/u-boot-ti.inc
+++ b/recipes-bsp/u-boot/u-boot-ti.inc
@@ -1,14 +1,6 @@
# UBOOT_LOCALVERSION can be set to add a tag to the end of the
# U-boot version string. such as the commit id
-def get_git_revision(p):
- import subprocess
-
- try:
- return subprocess.Popen("git rev-parse HEAD 2>/dev/null ", cwd=p, shell=True, stdout=subprocess.PIPE, universal_newlines=True).communicate()[0].rstrip()
I see a similar logic in
recipes-kernel/linux/setup-defconfig.inc as well.

Considering similar problem

https://lore.kernel.org/all/20220413155249.3458236-2-raj.khem@gmail.com/

was wondering as to what might be a better way to solve this?

There is also git rev-parse HEAD instances in oe-core as well and
bitbake(lib/layerindexlib/cooker.py) as well.

I wonder since we know cwd=p, could we use that to set
https://git-scm.com/docs/git/2.35.2#Documentation/git.txt-codeGITCEILINGDIRECTORIEScode
(which if my understanding is right, came in around v1.5.5.1-319-g0454dd93bfb2)

OR maybe just set it to the base conf similar to what was done on
master oe-core/meta/conf/bitbake.conf (commit
02ecf3e2a98a614805f6f2574c2bf14162192d01 "bitbake.conf: Prevent git from
detecting parent repo in recipe")?

I am not sure if we should considering just side stepping this issue via
just not using the git to get the version string.. just my 2 cents.
My top level understanding was the security update was suggesting to avoid

doing what we were doing already i.e. calling git from

a sub-process through a recipe due to security concerns and so avoided
using git

and also I think below change also achieves same what was achieved
before with SRCREV, I have

similar fix on the kernel bb too which was failing with same error.

- except OSError:
- return None
-
-UBOOT_LOCALVERSION = "-g${@get_git_revision('${S}').__str__()[:10]}"
+UBOOT_LOCALVERSION = "-g${@d.getVar("SRCREV", False).__str__()[:10]}"

UBOOT_SUFFIX ?= "img"
SPL_BINARY ?= "MLO"
--
2.17.1


Denys Dmytriyenko
 

On Wed, Apr 27, 2022 at 07:50:13PM +0530, Devarsh Thakkar via lists.yoctoproject.org wrote:

On 20/04/22 05:04, Nishanth Menon wrote:
On 21:17-20220419, Devarsh Thakkar wrote:
Due to recent security update in git, we are
not able to fetch revision currently using existing method:
https://github.blog/2022-04-12-git-security-vulnerability-announced/

So instead, use the SRCREV to parse the short commit ID
and set the UBOOT_LOCALVERSION variable.

Signed-off-by: Devarsh Thakkar <devarsht@...>
---
recipes-bsp/u-boot/u-boot-ti.inc | 10 +---------
1 file changed, 1 insertion(+), 9 deletions(-)

diff --git a/recipes-bsp/u-boot/u-boot-ti.inc b/recipes-bsp/u-boot/u-boot-ti.inc
index 231b7647..cc775e2e 100644
--- a/recipes-bsp/u-boot/u-boot-ti.inc
+++ b/recipes-bsp/u-boot/u-boot-ti.inc
@@ -1,14 +1,6 @@
# UBOOT_LOCALVERSION can be set to add a tag to the end of the
# U-boot version string. such as the commit id
-def get_git_revision(p):
- import subprocess
-
- try:
- return subprocess.Popen("git rev-parse HEAD 2>/dev/null ", cwd=p, shell=True, stdout=subprocess.PIPE, universal_newlines=True).communicate()[0].rstrip()
I see a similar logic in
recipes-kernel/linux/setup-defconfig.inc as well.

Considering similar problem

https://lore.kernel.org/all/20220413155249.3458236-2-raj.khem@gmail.com/

was wondering as to what might be a better way to solve this?

There is also git rev-parse HEAD instances in oe-core as well and
bitbake(lib/layerindexlib/cooker.py) as well.

I wonder since we know cwd=p, could we use that to set
https://git-scm.com/docs/git/2.35.2#Documentation/git.txt-codeGITCEILINGDIRECTORIEScode
(which if my understanding is right, came in around v1.5.5.1-319-g0454dd93bfb2)

OR maybe just set it to the base conf similar to what was done on
master oe-core/meta/conf/bitbake.conf (commit
02ecf3e2a98a614805f6f2574c2bf14162192d01 "bitbake.conf: Prevent git from
detecting parent repo in recipe")?

I am not sure if we should considering just side stepping this issue via
just not using the git to get the version string.. just my 2 cents.
My top level understanding was the security update was suggesting to avoid

doing what we were doing already i.e. calling git from

a sub-process through a recipe due to security concerns and so avoided
using git

and also I think below change also achieves same what was achieved
before with SRCREV, I have

similar fix on the kernel bb too which was failing with same error.

- except OSError:
- return None
-
-UBOOT_LOCALVERSION = "-g${@get_git_revision('${S}').__str__()[:10]}"
+UBOOT_LOCALVERSION = "-g${@d.getVar("SRCREV", False).__str__()[:10]}"
You should probably use SRCPV here to also work with AUTOREV.


UBOOT_SUFFIX ?= "img"
SPL_BINARY ?= "MLO"
--
2.17.1