Date   

[meta-security][PATCH 5/5] nikito: Update common-licenses references to match new names

Armin Kuster
 

Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
recipes-scanners/buck-security/buck-security_0.7.bb | 2 +-
recipes-scanners/checksecurity/checksecurity_2.0.15.bb | 2 +-
recipes-security/nikto/nikto_2.1.6.bb | 2 +-
recipes-security/redhat-security/redhat-security_1.0.bb | 2 +-
4 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/recipes-scanners/buck-security/buck-security_0.7.bb b/recipes-scanners/buck-security/buck-security_0.7.bb
index 179eeda..20a1fb0 100644
--- a/recipes-scanners/buck-security/buck-security_0.7.bb
+++ b/recipes-scanners/buck-security/buck-security_0.7.bb
@@ -3,7 +3,7 @@ DESCRIPTION = "Buck-Security is a security scanner for Debian and Ubuntu Linux.
system. This enables you to quickly overview the security status of your Linux system."
SECTION = "security"
LICENSE = "GPL-2.0"
-LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/GPL-2.0;md5=801f80980d171dd6425610833a22dbe6"
+LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/GPL-2.0-only;md5=801f80980d171dd6425610833a22dbe6"

SRC_URI = "http://sourceforge.net/projects/buck-security/files/buck-security/buck-security_${PV}/${BPN}_${PV}.tar.gz"

diff --git a/recipes-scanners/checksecurity/checksecurity_2.0.15.bb b/recipes-scanners/checksecurity/checksecurity_2.0.15.bb
index 204123d..0161b4c 100644
--- a/recipes-scanners/checksecurity/checksecurity_2.0.15.bb
+++ b/recipes-scanners/checksecurity/checksecurity_2.0.15.bb
@@ -2,7 +2,7 @@ SUMMARY = "basic system security checks"
DESCRIPTION = "checksecurity is a simple package which will scan your system for several simple security holes."
SECTION = "security"
LICENSE = "GPL-2.0"
-LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/GPL-2.0;md5=801f80980d171dd6425610833a22dbe6"
+LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/GPL-2.0-only;md5=801f80980d171dd6425610833a22dbe6"

SRC_URI = "http://ftp.de.debian.org/debian/pool/main/c/checksecurity/checksecurity_${PV}.tar.gz \
file://setuid-log-folder.patch \
diff --git a/recipes-security/nikto/nikto_2.1.6.bb b/recipes-security/nikto/nikto_2.1.6.bb
index 2d2c46c..615cc30 100644
--- a/recipes-security/nikto/nikto_2.1.6.bb
+++ b/recipes-security/nikto/nikto_2.1.6.bb
@@ -4,7 +4,7 @@ SECTION = "security"
HOMEPAGE = "https://cirt.net/Nikto2"

LICENSE = "GPLv2"
-LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/GPL-2.0;md5=801f80980d171dd6425610833a22dbe6"
+LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/GPL-2.0-only;md5=801f80980d171dd6425610833a22dbe6"

SRCREV = "f1bbd1a8756c076c8fd4f4dd0bc34a8ef215ae79"
SRC_URI = "git://github.com/sullo/nikto.git \
diff --git a/recipes-security/redhat-security/redhat-security_1.0.bb b/recipes-security/redhat-security/redhat-security_1.0.bb
index 56f734c..0d70dc6 100644
--- a/recipes-security/redhat-security/redhat-security_1.0.bb
+++ b/recipes-security/redhat-security/redhat-security_1.0.bb
@@ -2,7 +2,7 @@ SUMMARY = "redhat security tools"
DESCRIPTION = "Tools used by redhat linux distribution for security checks"
SECTION = "security"
LICENSE = "GPLv2"
-LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/GPL-2.0;md5=801f80980d171dd6425610833a22dbe6"
+LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/GPL-2.0-only;md5=801f80980d171dd6425610833a22dbe6"

SRC_URI = "file://find-chroot-py.sh \
file://find-chroot.sh \
--
2.17.1


[meta-security][PATCH 4/5] scap-security-guide: Inherit python3targetconfig

Armin Kuster
 

Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
.../scap-security-guide/scap-security-guide.inc | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide.inc b/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide.inc
index 32fce0f..d1a9511 100644
--- a/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide.inc
+++ b/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide.inc
@@ -10,7 +10,7 @@ DEPENDS = "openscap-native python3 python3-pyyaml-native python3-jinja2-native l

S = "${WORKDIR}/git"

-inherit cmake pkgconfig python3native
+inherit cmake pkgconfig python3native python3targetconfig

STAGING_OSCAP_BUILDDIR = "${TMPDIR}/work-shared/openscap/oscap-build-artifacts"
export OSCAP_CPE_PATH="${STAGING_OSCAP_BUILDDIR}${datadir_native}/openscap/cpe"
--
2.17.1


[meta-security][PATCH 3/5] openscap: Inherit python3targetconfig

Armin Kuster
 

Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
meta-security-compliance/recipes-openscap/openscap/openscap.inc | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta-security-compliance/recipes-openscap/openscap/openscap.inc b/meta-security-compliance/recipes-openscap/openscap/openscap.inc
index afa576a..812ea9f 100644
--- a/meta-security-compliance/recipes-openscap/openscap/openscap.inc
+++ b/meta-security-compliance/recipes-openscap/openscap/openscap.inc
@@ -11,7 +11,7 @@ DEPENDS_class-native = "pkgconfig-native swig-native curl-native libxml2-native

S = "${WORKDIR}/git"

-inherit cmake pkgconfig python3native perlnative
+inherit cmake pkgconfig python3native python3targetconfig perlnative

PACKAGECONFIG ?= "python3 rpm perl gcrypt ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'selinux', '', d)}"
PACKAGECONFIG[python3] = "-DENABLE_PYTHON3=ON, ,python3, python3"
--
2.17.1


[meta-security][PATCH 2/5] python3-suricata-update: Inherit python3targetconfig

Armin Kuster
 

Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
recipes-ids/suricata/python3-suricata-update_1.1.1.bb | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/recipes-ids/suricata/python3-suricata-update_1.1.1.bb b/recipes-ids/suricata/python3-suricata-update_1.1.1.bb
index 0070b5b..732ca9a 100644
--- a/recipes-ids/suricata/python3-suricata-update_1.1.1.bb
+++ b/recipes-ids/suricata/python3-suricata-update_1.1.1.bb
@@ -10,6 +10,6 @@ SRC_URI = "git://github.com/OISF/suricata-update;branch='master-1.1.x'"

S = "${WORKDIR}/git"

-inherit python3native setuptools3
+inherit python3native python3targetconfig setuptools3

RDEPENDS_${PN} = "python3-pyyaml"
--
2.17.1


[meta-security][PATCH 1/5] apparmor: Inherit python3targetconfig

Armin Kuster
 

Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
recipes-mac/AppArmor/apparmor_3.0.bb | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/recipes-mac/AppArmor/apparmor_3.0.bb b/recipes-mac/AppArmor/apparmor_3.0.bb
index 35e95a0..015205d 100644
--- a/recipes-mac/AppArmor/apparmor_3.0.bb
+++ b/recipes-mac/AppArmor/apparmor_3.0.bb
@@ -39,7 +39,7 @@ PARALLEL_MAKE = ""

COMPATIBLE_MACHINE_mips64 = "(!.*mips64).*"

-inherit pkgconfig autotools-brokensep update-rc.d python3native perlnative cpan systemd features_check bash-completion
+inherit pkgconfig autotools-brokensep update-rc.d python3native python3targetconfig perlnative cpan systemd features_check bash-completion

REQUIRED_DISTRO_FEATURES = "apparmor"

--
2.17.1


Re: Include "my.conf" in conf/local.conf

Peter Bergin
 

Hi,

On 2021-02-22 14:29, Mauro Ziliani wrote:

Hi all

Is it possible to include a fine in local.conf?


yes. Just add "include my.conf" in your configuration.

https://docs.yoctoproject.org/bitbake/bitbake-user-manual/bitbake-user-manual-metadata.html#include-directive

Regards,
/Peter

MZ





Iignore variable change in the complete recipe #python #yocto

rkthebest@...
 

Hello,

we are using a recipe to fetch binary from artifactory and package it in rootfile system.
and this artifactory path can be dynamic so i am using linux system variable to pass this information to the recipe by
d.getVar("SYSTEM_VAR",True)
and then using this variable in recipe to fetch binary from artifactory.

the problem is that when i change the "SYSTEM_VAR on linux machine then YOCTO complains "The metadata is not deterministic and this needs to be fixed"
because i am changing the variable without changing recipe, and the basehash value has changed.

what is the best way to solve the above problem?


Re: Custom python location on target #python

felixn1996@...
 

On Mon, Feb 22, 2021 at 05:44 AM, Josef Holzmayr wrote:
I personally would probably go with a build-in-build, and put some
form of application rootfs on the emmc - this could either be a simple
chroot or some more advanced form of container. This avoids nasty
breakages and update problems when the filesystems go out of version
sync. Other techniques might also apply depending on your software
rollout process, like an addtional overlay fs, or a pivot-root with
initrd, or.... it depends. But ripping out random packages and
rearranging them at random locations certainly isn't a good idea. It
already hurts when I think of the mount-and-deploy magic one would
need for this to roll out in production.

My $.02
Okay, that makes sense!
I'll look for a better solution. 

KR,
Felix 


Re: Private: Re: [yocto] Custom python location on target #python

Josef Holzmayr
 

(re-adding list as this certainly does not contain sensitive
information - others might add other opinions and hints, as well as my
answer should be available for everyone to find it.)

Am Mo., 22. Feb. 2021 um 14:35 Uhr schrieb <felixn1996@gmail.com>:

On Mon, Feb 22, 2021 at 04:57 AM, Josef Holzmayr wrote:

Whats the reasoning behind this? If its meant to be a work-around for
"my custom software totally wants it in that location", then you're
probably better off fixing your custom software to stick to canonical
paths. If its about partitioning schemes, other techniques might
apply. If its about being able to upgrade/modify python independently
from the system, then you probably want some root-in-root or container
build. But randomly picing a complex package that has system-wide
implications and saying "I want it here, screw the FHS" is not a good
idea usually.

Hi
I am aware that what I am asking for is a bit ugly.

The reason is that I have a small amount of memory at my disposal. I'm working with a setup with two partitions, a root-fs and an overlayed application file system. None of them has enough space for python.
Therefore I want to install it on the eMMC, which has plenty of space.
So instead of /usr which is on the root/app file system, I would install it under /media/<somewhere> on the mounted eMMC.

But maybe there exists a more elegant solution?
I personally would probably go with a build-in-build, and put some
form of application rootfs on the emmc - this could either be a simple
chroot or some more advanced form of container. This avoids nasty
breakages and update problems when the filesystems go out of version
sync. Other techniques might also apply depending on your software
rollout process, like an addtional overlay fs, or a pivot-root with
initrd, or.... it depends. But ripping out random packages and
rearranging them at random locations certainly isn't a good idea. It
already hurts when I think of the mount-and-deploy magic one would
need for this to roll out in production.

My $.02

Greetz


Re: Custom python location on target #python

felixn1996@...
 

On Mon, Feb 22, 2021 at 04:57 AM, Josef Holzmayr wrote:
Whats the reasoning behind this? If its meant to be a work-around for
"my custom software totally wants it in that location", then you're
probably better off fixing your custom software to stick to canonical
paths. If its about partitioning schemes, other techniques might
apply. If its about being able to upgrade/modify python independently
from the system, then you probably want some root-in-root or container
build. But randomly picing a complex package that has system-wide
implications and saying "I want it here, screw the FHS" is not a good
idea usually.
Hi
I am aware that what I am asking for is a bit ugly. 
 
The reason is that I have a small amount of memory at my disposal.  I'm working with a setup with two partitions, a root-fs and an overlayed application file system. None of them has enough space for python.
Therefore I want to install it on the eMMC, which has plenty of space.
So instead of /usr which is on the root/app file system, I would install it under /media/<somewhere> on the mounted eMMC. 
 
But maybe there exists a more elegant solution? 
 
Kind regards, 
Felix


Include "my.conf" in conf/local.conf

Mauro Ziliani
 

Hi all

Is it possible to include a fine in local.conf?


MZ


[opkg-utils PATCH v2] Makefile: separate manpages and utils install

Ryan Barnett
 

The installation of opkg-build man page introduces a host dependency
on perl for the pod2man package to generate the man page.

To allow the opkg-utils scripts to be installed separately from the
manpages, break apart the install step into two install steps:
install-utils and install-docs

CC: Christian Hermann <mail@hermannch.dev>
Signed-off-by: Ryan Barnett <ryanbarnett3@gmail.com>
---
v1 -> v2:
- Leave all target behavior unchanged (suggested by Christian)
---
Makefile | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/Makefile b/Makefile
index 4049654..fe96d5a 100644
--- a/Makefile
+++ b/Makefile
@@ -27,9 +27,11 @@ mandir ?=3D $(PREFIX)/man
=20
all: $(UTILS) $(MANPAGES)
=20
-install: all
+install-utils: $(UTILS)
install -d $(DESTDIR)$(bindir)
install -m 755 $(UTILS) $(DESTDIR)$(bindir)
+
+install-docs: $(MANPAGES)
install -d $(DESTDIR)$(mandir)
for m in $(MANPAGES); \
do \
@@ -37,4 +39,6 @@ install: all
install -m 644 "$$m" $(DESTDIR)$(mandir)/man$${m##*.}; \
done
=20
-.PHONY: install all
+install: install-utils install-docs
+
+.PHONY: install install-utils install-docs all
--=20
2.25.1


Re: Custom python location on target #python

Josef Holzmayr
 

Howdy!

Am Mo., 22. Feb. 2021 um 13:22 Uhr schrieb <felixn1996@gmail.com>:
I'm new to the Yocto Project. It is my first time posting a Yocto related question. If this is the wrong place, I apologize in advance.
No problem, welcome on board!

I need to change the python installation location on my target from /usr/bin and /usr/lib to somewhere under /media.
I have searched around online and tried looking in the recipe: http://git.yoctoproject.org/cgit.cgi/poky/tree/meta/recipes-devtools/python/python3_3.9.1.bb
Whats the reasoning behind this? If its meant to be a work-around for
"my custom software totally wants it in that location", then you're
probably better off fixing your custom software to stick to canonical
paths. If its about partitioning schemes, other techniques might
apply. If its about being able to upgrade/modify python independently
from the system, then you probably want some root-in-root or container
build. But randomly picing a complex package that has system-wide
implications and saying "I want it here, screw the FHS" is not a good
idea usually.

Greetz


Custom python location on target #python

felixn1996@...
 

Hello! 
I'm new to the Yocto Project. It is my first time posting a Yocto related question. If this is the wrong place, I apologize in advance. 
 
I need to change the python installation location on my target from /usr/bin and /usr/lib to somewhere under /media.
 
I have searched around online and tried looking in the recipe: http://git.yoctoproject.org/cgit.cgi/poky/tree/meta/recipes-devtools/python/python3_3.9.1.bb
 
But I have not made any progress so far.
 
Any help would be super appreciated!
Best regards,
Felix


Re: anyone bundled libbpf into a recipe?

Josef Holzmayr
 

https://twitter.com/TheYoctoJester/status/1358865946790797324

Am Mo., 22. Feb. 2021 um 12:24 Uhr schrieb Robert P. J. Day
<rpjday@crashcourse.ca>:



colleague wants a recipe for libbpf:

https://github.com/libbpf/libbpf

would anyone have done that already and is willing to let me steal it?

rday



anyone bundled libbpf into a recipe?

Robert P. J. Day
 

colleague wants a recipe for libbpf:

https://github.com/libbpf/libbpf

would anyone have done that already and is willing to let me steal it?

rday


[meta-selinux][PATCH] parted: remove bbappend

Yi Zhao
 

Remove bbappend since parted 3.4 has removed the enable_selinux
configure option[1].

Fixes:
QA Issue: parted: configure was passed unrecognised options: --enable-selinux [unknown-configure-option]

[1] https://git.savannah.gnu.org/cgit/parted.git/commit/?id=059200d50beb259c54469ae65f2d034af48ff849

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
---
recipes-extended/parted/parted_%.bbappend | 1 -
1 file changed, 1 deletion(-)
delete mode 100644 recipes-extended/parted/parted_%.bbappend

diff --git a/recipes-extended/parted/parted_%.bbappend b/recipes-extended/parted/parted_%.bbappend
deleted file mode 100644
index 74e22b3..0000000
--- a/recipes-extended/parted/parted_%.bbappend
+++ /dev/null
@@ -1 +0,0 @@
-inherit ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'enable-selinux', '', d)}
--
2.25.1


Re: QA notification for completed autobuilder build (yocto-3.2.2.rc1)

Sangeeta Jain
 

Hi all,

This is the full report for yocto-3.2.2.rc1:
https://git.yoctoproject.org/cgit/cgit.cgi/yocto-testresults-contrib/tree/?h=intel-yocto-testresults

======= Summary ========
No high milestone defects.

No new issues found

Thanks,
Sangeeta

-----Original Message-----
From: yocto@lists.yoctoproject.org <yocto@lists.yoctoproject.org> On Behalf
Of Pokybuild User
Sent: Wednesday, 17 February, 2021 1:44 AM
To: yocto@lists.yoctoproject.org
Cc: qa-build-notification@lists.yoctoproject.org
Subject: [yocto] QA notification for completed autobuilder build (yocto-
3.2.2.rc1)


A build flagged for QA (yocto-3.2.2.rc1) was completed on the autobuilder and is
available at:


https://autobuilder.yocto.io/pub/releases/yocto-3.2.2.rc1


Build hash information:

bitbake: 0a3bf681530bd63fc0036ca81ef868ab53fde56c
meta-arm: aa63e31b6edb5197764c21434219050ab51f0fbd
meta-gplv2: 6e8e969590a22a729db1ff342de57f2fd5d02d43
meta-intel: 1d866c58534eb1d317b7a674c6e6c57ab9594fb0
meta-kernel: f793168bd19af3d8c5a260dd35f387ed9a31794b
meta-mingw: 352d8b0aa3c7bbd5060a4cc2ebe7c0e964de4879
oecore: ebaaee50cb3ac75112827f935c48affaf622ce7f
poky: d5d6286a66f46f4523e35e0e3f20cd7396195fdc



This is an automated message from the Yocto Project Autobuilder
Git: git://git.yoctoproject.org/yocto-autobuilder2
Email: richard.purdie@linuxfoundation.org



[opkg-utils PATCH] Makefile: seperate manpages and utils install

Ryan Barnett
 

The installation of opkg-build man page introduces a host dependency
on perl for the pod2man package to generate the man page.

To allow the opkg-utils scripts to be installed separately from the
manpages, break apart the install step into two install steps:
install-utils and install-docs

Signed-off-by: Ryan Barnett <ryanbarnett3@gmail.com>
---
Makefile | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/Makefile b/Makefile
index 4049654..7b7b8d5 100644
--- a/Makefile
+++ b/Makefile
@@ -25,11 +25,13 @@ mandir ?=3D $(PREFIX)/man
%.1: %
pod2man -r "" -c "opkg-utils Documentation" $< $@
=20
-all: $(UTILS) $(MANPAGES)
+all: install
=20
-install: all
+install-utils: $(UTILS)
install -d $(DESTDIR)$(bindir)
install -m 755 $(UTILS) $(DESTDIR)$(bindir)
+
+install-docs: $(MANPAGES)
install -d $(DESTDIR)$(mandir)
for m in $(MANPAGES); \
do \
@@ -37,4 +39,6 @@ install: all
install -m 644 "$$m" $(DESTDIR)$(mandir)/man$${m##*.}; \
done
=20
-.PHONY: install all
+install: install-utils install-docs
+
+.PHONY: install install-utils install-docs all
--=20
2.25.1


Re: [meta-security] [PATCH V2 0/8] Some fixes for IMA/EVM

Armin Kuster
 

On 2/20/21 4:18 AM, liu.ming50@gmail.com wrote:
From: Ming Liu <liu.ming50@gmail.com>

Changes in patch set V2:

1 Split patches as suggested by Dmitry Baryshkov.
Thanks for for the changes.
This series is now being build tested etc.

Many thanks,

- armin


Ming Liu (8):
ima-evm-utils: set native REQUIRED_DISTRO_FEATURES to empty
initramfs-framework-ima: fix a wrong path
ima-evm-keys: add recipe
initramfs-framework-ima: RDEPENDS on ima-evm-keys
meta: refactor IMA/EVM sign rootfs
README.md: update according to the refactoring in
ima-evm-rootfs.bbclass
initramfs-framework-ima: let ima_enabled return 0
ima-evm-rootfs.bbclass: avoid generating /etc/fstab for wic

meta-integrity/README.md | 4 ++-
meta-integrity/classes/ima-evm-rootfs.bbclass | 33 +++++++++----------
.../initrdscripts/initramfs-framework-ima.bb | 2 +-
.../initrdscripts/initramfs-framework-ima/ima | 3 +-
.../ima-evm-keys/ima-evm-keys_1.0.bb | 16 +++++++++
.../ima-evm-utils/ima-evm-utils_git.bb | 1 +
6 files changed, 38 insertions(+), 21 deletions(-)
create mode 100644 meta-integrity/recipes-security/ima-evm-keys/ima-evm-keys_1.0.bb

1481 - 1500 of 53882