Date   

Update bitbake broken build

JH
 

Hi,

I updated the bitbake to run git pull in master branch, now it is
broken, what does the following error message mean, how to fix it?

$ bitbake-layers show-layers

NOTE: Starting bitbake server...
ERROR: Variable PROVIDES_prepend contains an operation using the old
override syntax. Please convert this layer/metadata before attempting
to use with a newer bitbake.

Thank you.

Kind regards,

- jupiter


Re: Wayland and X11 on Yocto

Manuel Wagesreither
 

Hi all, hi Khem,

Am Do, 19. Aug 2021, um 00:22, schrieb Khem Raj:
On Wed, Aug 18, 2021 at 3:06 PM Manuel Wagesreither <ManWag@...> wrote:

Hello all,

I'm building an image to run on various SBCs and would like to equip it with a graphical interface.

There are quite a few things very unclear to me. Can someone help me with that?

* Why is X11 enabled by setting an IMAGE_FEATURE (namely x11, x11-base or x11-sato), while Wayland is enabled by IMAGE_INSTALL only (weston-init and weston)?
x11-* features is primarily to control what kind of x11 packages you
want to include in image e.g.
./meta/recipes-sato/packagegroups/packagegroup-core-x11-sato.bb is
pulled in when x11-sato is added to IMAGE_FEATURES
we have many X11 based images and sato is one of them so thats why its
separated out.
Okay, so if I get things right then IMAGE_FEATURES+="x11" is under the hood nothing more than an IMAGE_INSTALL+="packagegroup-core-x11". Is that right? If so, what's the purpose of adding the concept of IMAGE_FEATURE? I mean, it doesn't make things SO much easier. Setting an IMAGE_FEATURE or an IMAGE_INSTALL variable is the same to me.

you should really is looking at DISTRO_FEATURES e.g. wayland distro
feature is needed for core-image-weston to build.
Yepp, I know. I left them out on purpose because I was mainly interested in where the configuration for X11 and wayland differs conceptually. With "conceptually" I mean that one is added through IMAGE_FEATURES while the other is through IMAGE_INSTALL.

* Theory: Is IMAGE_FEATURE +=x11 manipulating IMAGE_INSTALL under the hood so you don't have to do it manually? And as there is no IMAGE_FEATURE "wayland", you have do it manually. Correct?
* Why is Wayland different in that it doesn't need an IMAGE_FEATURE to enable it?
there are not many wayland based compositors or images we have in core
as of now.
And if there would be more wayland based compositors or images then you would turn extract this into an IMAGE_FEATURE as well? Why? How does that make things easier? Again, I feel there's something to IMAGE_FEATURES I didn't yet understand.

* Why does core-image-weston.bb need to enable IMAGE_FEATURE hwcodec, while core-image-x11.bb does not? (Dunfell branch.)
openGL is needed for wayland/weston to work too but hwcodec feature is
infact to pull in machine specific drivers MACHINE_HWCODECS into image
if a given BSP defined it.
e.g. intel bsps define vaapi codecs and mediasdk for specific machines
via MACHINE_HWCODECS
defaults for this image features are empty
Thanks for the explanation on MACHINE_HWCODEC. I'm curious, so is core-image-x11 require DISTRO_FEATURE hwcodec or not? If yes, than it seems to be missing in the core-image-x11.bb (it's in the core-images-weston.bb, after all), if no, then why is it not required for X11?


I know I'm asking quite detailed questions, but I got the feeling I need to understand this once and for all.

Thanks, regards, Manuel


Extensible SDK - runtime packages installation

d0ku
 

Hi,

I've been playing with extensible SDK lately and got to a point, where I want to create a minimal SDK installer and install all the required packages in runtime via `devtool sdk-install`, so that every developer can get only the stuff that's actually needed.

For the target part it works as expected, installing the content to ${OECORE_TARGET_SYSROOT}, however for the host part the content gets installed to ${OECORE_NATIVE_SYSROOT}, but it's not visible in the PATH in some cases. E.g. for perl-native the binaries are installed to `<native sysroot>/bin/perl-native` and are not visible, unless I manually extend the PATH with this directory, then it works fine.

So my questions are:
* Is the runtime installation of packages meant to run on host actually supported? It surely works for e.g. compiler, so I assume it should be also fine for other packages?
* Should I install `nativesdk-` or `-native` packages, if I want to use them this way? Or can I actually do both? In the eSDK talk by Paul Eggerton I saw that `nativesdk-cmake` was added, but the `nativesdk-` doesn't really seem to fit `mini Yocto environment` that eSDK basically is.
* Am I possibly missing some configuration steps? In Yocto environment the PATH gets expanded with `bin/perl-native` automatically, but I wasn't able to pinpoint what file/task actually does it.

Best Regards and thanks in advance,
Jakub


Re: meta-gnome error #yocto

Khem Raj
 

On 8/23/21 2:55 AM, yasminebenghozzi6@... wrote:
Hello, please can anyone help with this error ?
ERROR: ParseError at /home/yasmine/yocto/poky/meta-openembedded/meta-gnome/recipes-gnome/yelp/yelp_3.34.0.bb:7: Could not inherit file classes/itstool.bbclass
this is the line 7:
inherit gnomebase itstool autotools-brokensep gsettings gettext gtk-doc features_check mime-xdg
this class is provided by meta-oe layer. Make sure you have meta-oe layer in your bblayers.conf


Yocto Technical Team Minutes, Engineering Sync, for August 17, 2021

Trevor Woerner
 

Yocto Technical Team Minutes, Engineering Sync, for August 17, 2021
archive: https://docs.google.com/document/d/1ly8nyhO14kDNnFcW2QskANXW3ZT7QwKC5wWVDg9dDH4/edit

== disclaimer ==
Best efforts are made to ensure the below is accurate and valid. However,
errors sometimes happen. If any errors or omissions are found, please feel
free to reply to this email with any corrections.

== attendees ==
Trevor Woerner, Stephen Jolley Richard Purdie Peter Kjellerstedt Joshua
Watt Randy MacLeod Saul Wold Michael Halstead Richard Elberger Scott Murray
Steve Sakoman Tony Toscioglu Trevor Gamblin Bruce Ashfield Ross Burton
Alexandre Belloni Daiane Angolini Jon Mason Jan-Simon Möller

== project status ==
- 3.1.10 (dunfell) released
- 3.4 (honister) is in feature freeze next week (pending work includes rust
and prserv)
- glibc 2.34 update merged. the builds are fine, but causes problems with
uninative and pseudo, fixes being investigated
- kernel: drop 5.4, updates to 5.10 and 5.13
- appears to be issues with buildtools tarball in aarch64 (probably related to
gcc 11 update)
- plan to migrate tune files into architecture-specific directories; patch
likely to merge in the next few days
- bitbake fetcher no longer ignores SSL certificates
- LTO linker flag handling changes merged to help with reproducibility issues
- overlayfs class changes were merged

== discussion ==
Randy: the pending rust work is coming along. fixed ppc issue and fixed
reproducibility issues but still having an issue with diffsigs. Alex did a
full build and it’s looking good. is diffsig issue a requirement?
RP: yes. maybe show it to me and i can take a look. perhaps a status update to
the mailing list

Scott: re: prserv. i was away. i was able to reproduce the hang issues that RP
was seeing on the AB before i left. however, i’m seeing a new issue with
debian 10 and python 3.7 we’re seeing a hang, but it’s not like any
of the other hangs we’ve seen before so still investigating. is feature
freeze the end of this week, or next
RP: technically Monday. but this is a planned feature so there is some
flexibility so we’ll see how the progress goes
Scott: what’s the minimum python?
RP: 3.5 or 3.6?
Ross: 3.5
Scott: we could also lift the read-only feature and put that in for this
release then work on the rest for the next release
RP: well, we need read-only for hashequiv and prserv
Scott: it’s already there for hashequiv. i don’t think it’s a huge need
for this code. but i’ll keep working on it
RP: we could do that as a backup plan, but i’d prefer to see it all go in
for this release. i’m reluctant to do this.
Scott: python 3.9 seems quite happy. the problem seems to be with the older
versions. maybe there’s something we can do with the older versions to
make them happy
JPEW: hash equiv is a lot cleaner, it doesn’t have to do all the forking etc
Scott: i thought i had it working (before i left) but i guess not. i’m
seeing a strange ld.so bug (inconsistency detected by ld.so: dl-open
worker assert dl_debug_initialize()->rstate == RT_CONSISTENT failed). not
sure what this is, not what you’d expect out of a python program. looks
like maybe loading debug symbols? when i attach gdb i don’t see any
obvious problems. the coverage on the AB uses buildtools, what combos on
the AB include the old python?
RP: i think the really older ones all have buildtools tarball, but newer ones
would run native
PeterK: i think the latest python is 3.6 with the fstreams thing
JPEW: i thought it was 3.6 too, i’m pretty sure i was the one who bumped it
RP: i was thinking 3.6 for fstreams too when Ross said 3.5
PeterK: not that it helps you if you want 3.9
RP: but it does help somewhat
Randy: (finds log) January 2021
RP: ah, the core does have the version bump, but it was not done in bitbake
JPEW: i think it was something specific in oe-core that needs 3.6 and if
someone is using bitbake without oe-core then they can still use 3.5

JPEW: is bitbake major version going to bump with overrides
RP: it did
JPEW: i meant bitbake 2.0.0
RP: not yet. i’m tempted for next LTS, but we’ll see. i’m getting tired
of 1.x ;-)
JPEW: let’s use dates

JPEW: re spdx. if you go to poky-contrib there is a branch jpew-sbom which
includes all the stuff i’ve done with spdx and sbom creation. please
take a look and let me know if what we’re creating generates something
that’s useful to you. if you do fossology scanning then please take a
look at the output and let me know if that works for you
Saul: i’m looking at it. do you have any plans about creating a single large
image sbom instead of the relationship based one
JPEW: originally i went down that road, it can be done if we can do it sanely.
however we have to create different parts at different times in the build,
so it’s just easier to have separate docs and then link them later.
so we get 100’s and 100’s of docs, and then put them together in a
tarball.
Saul: townhall is tomorrow, looking forward to it. but i’ll look at scripts
to pull it all in together into one single doc
JPEW: that would actually make the documentation smaller because all the
linking adds quite a bit.
JPEW: also i wanted to leave open the possibility to link to spdx docs from
the source code and pull all that into the big tarball. i think the
lite-spdx group is trying to make things nicer (in this direction) for our
(and others’) usecase, but not involved in that
Saul: sometimes the external references cause issues. i threw some random ones
at the validator and there were some warnings and errors. the tools are
also 1.x version but they don’t properly validate the 2.x stuff.
JPEW: they were validating against the online tools at one point, but i
probably did something to mess it up. it’s annoying that the offline
native tool is java based. it would be nice to validate as part of the
build, but that’s a huge undertaking. there’s also the issue of
identifying the spdx license using the ?? tool
RP: who said to not use that tool?
JPEW: you did
RP: okay. well that’s what i’d use so go ahead
JPEW: also need to verify that the license that we put in the file is a known
and valid spdx license. sometimes the validator tool doesn’t accept it
because of a small issue even though it is the same license
RP: there’s an spdx-legal mailing list where stuff like this is being
discussed. e.g. common licenses for distros.
RP: glancing down your branch, i think we can start adding it
JPEW: i’d like to target the next release. we could merge it now as-is,
it’s functional but not 100% correct
Saul: it’s pretty isolated
JPEW: yes, just one class. if you don’t inherit it, it shouldn’t affect
anything
RP: i’m leaning towards adding it for this release as-is since it is so
isolated because it is important and i’d like to see it get wider use
Scott: townhall presentation meeting by Joshua tomorrow
Saul: free registration, supply-chain discussions, NA timezone
Scott: there are some other talks too that seem interesting (sigstore)
RP: thanks to JPEW for putting in the presentation! sbom and reproducibility
JPEW: sbom, reproducibility, CVE checking, buildtools, etc

RP: re current patch status. lots of version changes in master-next
Scott: yes myself and Jan-Simon noticed it. i’ll poke around in it
Jon: on my todo list today, will review it
Scott: i think the tune one might blow up AGL
RP: it’s in master-next and Alex’s testing branch which i think shows
green for AGL. it’s intel that blows up
AlexB: yes, AGL is fine but Intel blows up.
RP: AlexB make sure Anuj is aware of the meta-intel issue
AlexB: sure
SS: what’s it mean for the removal of the 5.4 linux-yocto recipe for
dunfell?
Bruce: i’ll keep sending them to you. i keep updating 4.19 and other things
that still get updates. i’ll make sure to add “dunfell” in the cover
letter
SS: lots of hand-editing of colons and underscores
RP: i suspect the conversion scripts could be reversed to change colons back
to underscores

RP: glibc 2.3.4 changes caused more issues than i anticipated. AB builds are
green, but 2.3.4 on the host (builtdools tarball extended) or ?? cause
issues. in some cases there are reproducibility issues.
RP: libevent INT-AB monotonic test keeps failing off and on, but fails often
enough to be annoying. will be the next one to come to grips with
AlexB: yes, that one and the bitbake one
RP: i’m pretending that tone doesn’t exist

TrevorW: i want to convert meta-rockchip to use more of the kernel kmeta
config features, what machine do you recommend i follow as a good example
of doing it right?
Bruce: i'll send you something

TrevorW: is there any requirements or objections to adding new IMAGE_FEATUREs?
i’m working on a zram IMAGE_FEATURE and would like to know if there’s
any chance it would be rejected as an IMAGE_FEATURE so i could look at
other approaches
RP: IMAGE_FEATUREs have never been rejected that i know of
TrevorW: they’re added very rarely and there aren’t many of them
RP: they’re infrequent because there aren’t many. just be careful how you
add the packagegroups to make sure you don’t add build dependencies.
TrevorW: my feature will also need to add a kernel config. are there any
examples of a feature that also pokes the kernel config?
Bruce: check nfs ones

Elberger: is there going to be a yocto-checklayer for dunfell?
RP: i think it’s been enabled
Elberger: i’m looking at the yocto console view and it’s not there, am i
looking at the wrong thing
RP: maybe it scrolled off the page, i’ll send you a
link… https://autobuilder.yoctoproject.org/typhoon/#/builders/121/build
s/208
looks like it failed in aws and meta-oe.
Elberger: oh, it might have failed in aws because of a dependency on meta-oe.
RP: true, yes. this isn’t an issue with meta-aws

Elberger: how can maintainers do stuff on the AB
RP: talk to Nico and I. probably need to wait for September

TrevorG: python-cryptography test is failing because of a version mismatch,
needs setuptools-rust which requires rust in oe-core
Randy: look for my rust branch at poky-contrib


meta-gnome error #yocto

yasminebenghozzi6@...
 

Hello, please can anyone help with this error ? 
ERROR: ParseError at /home/yasmine/yocto/poky/meta-openembedded/meta-gnome/recipes-gnome/yelp/yelp_3.34.0.bb:7: Could not inherit file classes/itstool.bbclass

this is the line 7:
inherit gnomebase itstool autotools-brokensep gsettings gettext gtk-doc features_check mime-xdg


[meta-zephyr][PATCH] layer.conf: update machine confs with new tune locations

Naveen Saini
 

Added logic to make sure, it does not break with old releases.

Signed-off-by: Naveen Saini <naveen.kumar.saini@...>
---
conf/layer.conf | 2 ++
conf/machine/include/tune-corei7-common.inc | 4 ++--
conf/machine/qemu-x86.conf | 2 +-
3 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/conf/layer.conf b/conf/layer.conf
index 5f13c27..35f1075 100644
--- a/conf/layer.conf
+++ b/conf/layer.conf
@@ -16,3 +16,5 @@ LAYERVERSION_zephyr = "1"
LAYERDEPENDS_zephyr = "core meta-python"

LAYERSERIES_COMPAT_zephyr = "dunfell gatesgarth hardknott honister"
+
+X86_TUNE_DIR = "${@bb.utils.contains('LAYERSERIES_CORENAMES', 'honister', 'include/x86', 'include', d)}"
diff --git a/conf/machine/include/tune-corei7-common.inc b/conf/machine/include/tune-corei7-common.inc
index 509d190..b68fc05 100644
--- a/conf/machine/include/tune-corei7-common.inc
+++ b/conf/machine/include/tune-corei7-common.inc
@@ -1,6 +1,6 @@
DEFAULTTUNE ?= "corei7-64"
-require conf/machine/include/tune-corei7.inc
-require conf/machine/include/x86-base.inc
+require conf/machine/${X86_TUNE_DIR}/tune-corei7.inc
+require conf/machine/${X86_TUNE_DIR}/x86-base.inc

# Add x86 to MACHINEOVERRIDE
MACHINEOVERRIDES =. "x86:"
diff --git a/conf/machine/qemu-x86.conf b/conf/machine/qemu-x86.conf
index 31ce80d..ae7716c 100644
--- a/conf/machine/qemu-x86.conf
+++ b/conf/machine/qemu-x86.conf
@@ -3,7 +3,7 @@
#@DESCRIPTION: Machine for Zephyr BOARD qemu_x86

require conf/machine/include/qemu.inc
-require conf/machine/include/tune-i586.inc
+require conf/machine/${X86_TUNE_DIR}/tune-i586.inc

ZEPHYR_INHERIT_CLASSES += "zephyr-qemuboot"

--
2.17.1


[PATCH v2] bitbake/fetch2: Add a new variable 'BB_FETCH_ENV' to export Fetcher env

Mingrui Ren
 

From 1b0d7b4bb4a5b39f7ae0ce7d7ae5897a33637972 Mon Sep 17 00:00:00 2001
From: Mingrui Ren <jiladahe1997@...>
Date: Mon, 23 Aug 2021 14:49:03 +0800
Subject: [PATCH v2] bitbake/fetch2: Add a new variable 'BB_FETCH_ENV' to export Fetcher env

The environment variables used by Fetcher are hard-coded, and are obtained
from HOST env instead of bitbake datastore
This patch add a new variable 'BB_FETCH_ENV',and modify the default
BB_ENV_EXTRAWHITE_OE for backwards compatibility, trying to fix the
problems above.

Signed-off-by: Mingrui Ren <jiladahe1997@...>
---
changes in v2:
a.changes the variable name from 'FETCH_ENV_WHITELIST' to 'BB_FETCH_ENV'.
b.add 'BB_FETCH_ENV' in local.conf, rather than export it in host
enviroment.
c.modify existing BB_ENV_EXTRAWHITE_OE for backwards compatibility.
d.Two commits recently modified this variable. The commit ID is:
348384135272ae7c62a11eeabcc43eddc957811f and 5dce2f3da20a14c0eb5229696561b0c5f6fce54c,
So I adjusted the new variables in the patch.

bitbake/lib/bb/fetch2/__init__.py | 34 ++++++++-----------------------
bitbake/lib/bb/fetch2/wget.py | 2 +-
meta-poky/conf/local.conf.sample | 12 +++++++++++
scripts/oe-buildenv-internal | 3 ++-
4 files changed, 24 insertions(+), 27 deletions(-)

diff --git a/bitbake/lib/bb/fetch2/__init__.py b/bitbake/lib/bb/fetch2/__init__.py
index 914fa5c024..cbbe32d1df 100644
--- a/bitbake/lib/bb/fetch2/__init__.py
+++ b/bitbake/lib/bb/fetch2/__init__.py
@@ -808,28 +808,13 @@ def localpath(url, d):
fetcher = bb.fetch2.Fetch([url], d)
return fetcher.localpath(url)

-# Need to export PATH as binary could be in metadata paths
-# rather than host provided
-# Also include some other variables.
-FETCH_EXPORT_VARS = ['HOME', 'PATH',
- 'HTTP_PROXY', 'http_proxy',
- 'HTTPS_PROXY', 'https_proxy',
- 'FTP_PROXY', 'ftp_proxy',
- 'FTPS_PROXY', 'ftps_proxy',
- 'NO_PROXY', 'no_proxy',
- 'ALL_PROXY', 'all_proxy',
- 'GIT_PROXY_COMMAND',
- 'GIT_SSH',
- 'GIT_SSL_CAINFO',
- 'GIT_SMART_HTTP',
- 'SSH_AUTH_SOCK', 'SSH_AGENT_PID',
- 'SOCKS5_USER', 'SOCKS5_PASSWD',
- 'DBUS_SESSION_BUS_ADDRESS',
- 'P4CONFIG',
- 'SSL_CERT_FILE',
- 'AWS_ACCESS_KEY_ID',
- 'AWS_SECRET_ACCESS_KEY',
- 'AWS_DEFAULT_REGION']
+def getfetchenv(d):
+ # Need to export PATH as binary could be in metadata paths
+ # rather than host provided
+ # Also include some other variables.
+ vars = ['HOME', 'PATH']
+ vars.extend((d.getVar("BB_FETCH_ENV") or "").split())
+ return vars

def runfetchcmd(cmd, d, quiet=False, cleanup=None, log=None, workdir=None):
"""
@@ -839,7 +824,7 @@ def runfetchcmd(cmd, d, quiet=False, cleanup=None, log=None, workdir=None):
Optionally remove the files/directories listed in cleanup upon failure
"""

- exportvars = FETCH_EXPORT_VARS
+ exportvars = getfetchenv(d)

if not cleanup:
cleanup = []
@@ -855,9 +840,8 @@ def runfetchcmd(cmd, d, quiet=False, cleanup=None, log=None, workdir=None):
d.setVar("PV", "fetcheravoidrecurse")
d.setVar("PR", "fetcheravoidrecurse")

- origenv = d.getVar("BB_ORIGENV", False)
for var in exportvars:
- val = d.getVar(var) or (origenv and origenv.getVar(var))
+ val = d.getVar(var)
if val:
cmd = 'export ' + var + '=\"%s\"; %s' % (val, cmd)

diff --git a/bitbake/lib/bb/fetch2/wget.py b/bitbake/lib/bb/fetch2/wget.py
index 29fcfbb3d1..0ce06ddb4f 100644
--- a/bitbake/lib/bb/fetch2/wget.py
+++ b/bitbake/lib/bb/fetch2/wget.py
@@ -306,7 +306,7 @@ class Wget(FetchMethod):
# to scope the changes to the build_opener request, which is when the
# environment lookups happen.
newenv = {}
- for name in bb.fetch2.FETCH_EXPORT_VARS:
+ for name in bb.fetch2.getfetchenv(d):
value = d.getVar(name)
if not value:
origenv = d.getVar("BB_ORIGENV")
diff --git a/meta-poky/conf/local.conf.sample b/meta-poky/conf/local.conf.sample
index f1f6d690fb..4e8a6f0c77 100644
--- a/meta-poky/conf/local.conf.sample
+++ b/meta-poky/conf/local.conf.sample
@@ -267,6 +267,18 @@ PACKAGECONFIG:append:pn-qemu-system-native = " sdl"
#
#BB_SERVER_TIMEOUT = "60"

+# Bitbake Fetcher Environment Variables
+#
+# Specific which environment variables in bitbake datastore used by fetcher when
+# executing fetch task.
+# NOTE: You may need to modify BB_ENV_EXTRAWHITE, in order to add environment
+# variable into bitbake datastore first.
+BB_FETCH_ENV ?= "HTTP_PROXY http_proxy HTTPS_PROXY https_proxy \
+FTP_PROXY ftp_proxy FTPS_PROXY ftps_proxy NO_PROXY no_proxy ALL_PROXY all_proxy \
+GIT_PROXY_COMMAND GIT_SSH GIT_SSL_CAINFO GIT_SMART_HTTP SSH_AUTH_SOCK SSH_AGENT_PID \
+SOCKS5_USER SOCKS5_PASSWD DBUS_SESSION_BUS_ADDRESS P4CONFIG SSL_CERT_FILE AWS_ACCESS_KEY_ID\
+AWS_SECRET_ACCESS_KEY AWS_DEFAULT_REGION"
+
# CONF_VERSION is increased each time build/conf/ changes incompatibly and is used to
# track the version of this file when it was generated. This can safely be ignored if
# this doesn't mean anything to you.
diff --git a/scripts/oe-buildenv-internal b/scripts/oe-buildenv-internal
index e0d920f2fc..29cb694790 100755
--- a/scripts/oe-buildenv-internal
+++ b/scripts/oe-buildenv-internal
@@ -111,7 +111,8 @@ HTTPS_PROXY https_proxy FTP_PROXY ftp_proxy FTPS_PROXY ftps_proxy ALL_PROXY \
all_proxy NO_PROXY no_proxy SSH_AGENT_PID SSH_AUTH_SOCK BB_SRCREV_POLICY \
SDKMACHINE BB_NUMBER_THREADS BB_NO_NETWORK PARALLEL_MAKE GIT_PROXY_COMMAND \
SOCKS5_PASSWD SOCKS5_USER SCREENDIR STAMPS_DIR BBPATH_EXTRA BB_SETSCENE_ENFORCE \
-BB_LOGCONFIG"
+BB_LOGCONFIG HOME PATH GIT_SSH GIT_SSL_CAINFO GIT_SMART_HTTP DBUS_SESSION_BUS_ADDRESS \
+P4CONFIG SSL_CERT_FILE AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_DEFAULT_REGION"

BB_ENV_EXTRAWHITE="$(echo $BB_ENV_EXTRAWHITE $BB_ENV_EXTRAWHITE_OE | tr ' ' '\n' | LC_ALL=C sort --unique | tr '\n' ' ')"

--
2.25.1


Re: [meta-mingw] [PATCH] grpc: remove nl2 requirement since it is optional

Sinan Kaya <okaya@...>
 

On 8/21/2021 3:27 PM, Joshua Watt wrote:
>  EXTRA_OECMAKE:remove:mingw32 = "-DBUILD_SHARED_LIBS=ON"
>  EXTRA_OECMAKE:append:mingw32 = " -DBUILD_SHARED_LIBS=OFF"

Should we be making that a PACKAGECONFIG which mingw32 could change?


Yes, that's a good idea. Sinan, please make that change in meta-oe, then
change this patch to remove it from PACKAGECONFIG
Patch sent with subject: [meta-oe][PATCH] grpc: make SHARED library
build optional

I will wait until it gets merged to follow up here.


Re: Pyinstaller recipe in yocto #yocto

Tim Orling
 



On Sun, Aug 22, 2021 at 10:33 AM Tim Orling via lists.yoctoproject.org <ticotimo=gmail.com@...> wrote:


On Sun, Aug 22, 2021 at 1:32 AM <yasminebenghozzi6@...> wrote:
Good morning, 

So please I need help, I 've been building the pyinstaller recipe but I got errors which I couldn't explain , because I have the recipe python3-wheel which got built perfectly. Can anyone help please? 


The resolution of the images makes it a bit difficult to read the text, you are better off copy and pasting into  the email or pastebin and sharing the link
 
The recipe is failing during do_compile(), which is a hint that you need a -native recipe, not target recipe.
DEPENDS += "python3-wheel-native"

After that it will throw the 'already-stripped' QA Error:
# ERROR: pyinstaller-4.5.1-r0 do_package: QA Issue: File '/usr/lib/python3.9/site-packages/PyInstaller/bootloader/Linux-64bit-intel/run' from pyinstaller was already stripped, this will prevent future debugging! [already-stripped]
# ERROR: pyinstaller-4.5.1-r0 do_package: QA Issue: File '/usr/lib/python3.9/site-packages/PyInstaller/bootloader/Linux-64bit-intel/run_d' from pyinstaller was already stripped, this will prevent future debugging! [already-stripped]

The fix for that is:
INSANE_SKIP:${PN} += "already-stripped"

But pyinstaller is a complicated program and has many more dependencies for run time (RDEPENDS). One way to help figure those out is to use 'devtool add' to create the original recipe.

(we use Debian naming, so prefix the pypi name with python3-, the URL is from pypi 'Download FIles' )

In this case it resulted in a recipe with a parsing error, but normally this doesn't happen. Devtool detected a lot of dependencies, including two recipes that are not in YP/OE yet.

I have created a WIP branch you can try to use moving forward, but you'll have to do the rest of the work yourself or with the help of the community.

If you desire the functionality of UPX, there is a recipe in meta-virtualization







Re: Pyinstaller recipe in yocto #yocto

Tim Orling
 



On Sun, Aug 22, 2021 at 1:32 AM <yasminebenghozzi6@...> wrote:
Good morning, 

So please I need help, I 've been building the pyinstaller recipe but I got errors which I couldn't explain , because I have the recipe python3-wheel which got built perfectly. Can anyone help please? 


The resolution of the images makes it a bit difficult to read the text, you are better off copy and pasting into  the email or pastebin and sharing the link
 
The recipe is failing during do_compile(), which is a hint that you need a -native recipe, not target recipe.
DEPENDS += "python3-wheel-native"

After that it will throw the 'already-stripped' QA Error:
# ERROR: pyinstaller-4.5.1-r0 do_package: QA Issue: File '/usr/lib/python3.9/site-packages/PyInstaller/bootloader/Linux-64bit-intel/run' from pyinstaller was already stripped, this will prevent future debugging! [already-stripped]
# ERROR: pyinstaller-4.5.1-r0 do_package: QA Issue: File '/usr/lib/python3.9/site-packages/PyInstaller/bootloader/Linux-64bit-intel/run_d' from pyinstaller was already stripped, this will prevent future debugging! [already-stripped]

The fix for that is:
INSANE_SKIP:${PN} += "already-stripped"

But pyinstaller is a complicated program and has many more dependencies for run time (RDEPENDS). One way to help figure those out is to use 'devtool add' to create the original recipe.

(we use Debian naming, so prefix the pypi name with python3-, the URL is from pypi 'Download FIles' )

In this case it resulted in a recipe with a parsing error, but normally this doesn't happen. Devtool detected a lot of dependencies, including two recipes that are not in YP/OE yet.

I have created a WIP branch you can try to use moving forward, but you'll have to do the rest of the work yourself or with the help of the community.




remove meta-python2 from yocto #yocto

yasminebenghozzi6@...
 

Hello, 

I recently cloned into meta-python2 and I think it made an issue, so I want to remove it now, any help please? 


Pyinstaller recipe in yocto #yocto

yasminebenghozzi6@...
 

Good morning, 

So please I need help, I 've been building the pyinstaller recipe but I got errors which I couldn't explain , because I have the recipe python3-wheel which got built perfectly. Can anyone help please? 


Re: [meta-security][PATCH 1/2] image-with-hardened-binaries: add class

Robert Berger
 

Hi,

On 21/08/2021 18:35, Armin Kuster wrote:
Regarding the selftest, is there test for failure?
I ran this against core-image-minimal and nothing was printed out. Does
that mean its fine?
You may want to remove the ".py" from
python3-checksec.py-native_0.6.1.bb, its not needed.
If you run checksec manually against some binary e.g. ls.coreutils it outputs something like this:

https://pastebin.com/JkeN1h3k

Not sure what this should output.

-armin


Re: [meta-security][PATCH 1/2] image-with-hardened-binaries: add class

Armin Kuster
 

Hello Max,

See feedback below

On 8/13/21 6:18 AM, Maximilian Blenk wrote:
Add class to analyze binaries with checksec.py. checksec.py is a tool
that checks if security features of a compiler have been used. To do
so, it analyses the resulting binaries:
* NX Proctection is enabled
* Full RELRO is enabled
* RPATH and RUNPATH are not set
* Executables are compiled to be position independent
* FORTIFY_SOURCE is set (false-positives possible)
* Stack Canaries are enabled (false-positives possible)

Signed-off-by: Maximilian Blenk <Maximilian.Blenk@...>
---
Hi guys,

we are currently working on adding automatically checking the binaries
we put into an image for the presence of certain recommended compiler
features. To achieve this, we created a bbclass that wraps around the
existing project checksec.py (https://github.com/Wenzel/checksec.py). In
particular, checksec.py is used to check if
* relro is enabled
* executables are compiled to be position indipendet code
* rpath and runpath are not set
* stack canaries are enabled
* fortify source is enabled
I must however admit that the last two checks can suffer from
false-positives which need manual analysis and whitelisting (check can
also be completely disabled).

Motivation:
We've decided that such checks would be a nice thing to have because
people might overwrite important compiler flags in their local recipe.
Additionally there is always the possibility that components are shipped
as binaries instead of code (so they are actually build outside the
current build environment). Overall we've detected several cases where
required compiler flags have not been applied to shipped components.
After internal discussion we came to the conclusion that you guys would
maybe also be interested in this kind of checks, so I'm offering this
patch to you as well.

I would really appreciate your feedback :-)
I used these against current master and found some duplicate recipes in
either Core or meta-python so I removed these.

 python3-asttokens_2.0.5.bb     
 python3-colorama_%.bbappend   
 python3-docopt_0.6.2.bb      
 python3-setuptools-scm_6.0.1.bb
 python3-toml_%.bbappend        

see:
https://gitlab.com/akuster/meta-security/-/commit/1332825d23eb8ff08e124422b3f25a030c032c0b

I needed to covert to the new overrides scheme before I could build.

see:
https://gitlab.com/akuster/meta-security/-/commit/847bd7551acd3a9ca539b9beccd83a149bdd417d

feel free to reuse those changes.

Regarding the selftest, is there test for failure?

I ran this against core-image-minimal and nothing was printed out. Does
that mean its fine?

You may want to remove the ".py" from
python3-checksec.py-native_0.6.1.bb, its not needed.

-armin

BR Max

classes/image-with-hardened-binaries.bbclass | 338 ++++++++++++++++++
...1-main-Add-option-to-ignore-symlinks.patch | 81 +++++
.../0002-Elf-Fix-relro-detection.patch | 51 +++
...heck-Treat-binaries-with-0-fortifiab.patch | 33 ++
...o-use-pre-compiled-version-of-spdlog.patch | 154 ++++++++
.../python/python3-asttokens_2.0.5.bb | 15 +
.../python3-checksec.py-native_0.6.1.bb | 31 ++
.../python/python3-colorama_%.bbappend | 1 +
.../python/python3-commonmark_0.9.1.bb | 14 +
.../python/python3-docopt_0.6.2.bb | 18 +
.../python/python3-icontract_2.5.3.bb | 14 +
.../python/python3-lief_0.11.5.bb | 36 ++
.../python/python3-pylddwrap_1.0.1.bb | 21 ++
recipes-devtools/python/python3-rich_7.1.0.bb | 16 +
.../python/python3-setuptools-scm_6.0.1.bb | 17 +
.../python/python3-toml_%.bbappend | 1 +
16 files changed, 841 insertions(+)
create mode 100644 classes/image-with-hardened-binaries.bbclass
create mode 100644 recipes-devtools/python/files/python3-checksec.py/0001-main-Add-option-to-ignore-symlinks.patch
create mode 100644 recipes-devtools/python/files/python3-checksec.py/0002-Elf-Fix-relro-detection.patch
create mode 100644 recipes-devtools/python/files/python3-checksec.py/0003-fortify-source-check-Treat-binaries-with-0-fortifiab.patch
create mode 100644 recipes-devtools/python/files/python3-lief/0001-Enable-to-use-pre-compiled-version-of-spdlog.patch
create mode 100644 recipes-devtools/python/python3-asttokens_2.0.5.bb
create mode 100644 recipes-devtools/python/python3-checksec.py-native_0.6.1.bb
create mode 100644 recipes-devtools/python/python3-colorama_%.bbappend
create mode 100644 recipes-devtools/python/python3-commonmark_0.9.1.bb
create mode 100644 recipes-devtools/python/python3-docopt_0.6.2.bb
create mode 100644 recipes-devtools/python/python3-icontract_2.5.3.bb
create mode 100644 recipes-devtools/python/python3-lief_0.11.5.bb
create mode 100644 recipes-devtools/python/python3-pylddwrap_1.0.1.bb
create mode 100644 recipes-devtools/python/python3-rich_7.1.0.bb
create mode 100644 recipes-devtools/python/python3-setuptools-scm_6.0.1.bb
create mode 100644 recipes-devtools/python/python3-toml_%.bbappend

diff --git a/classes/image-with-hardened-binaries.bbclass b/classes/image-with-hardened-binaries.bbclass
new file mode 100644
index 0000000..d7d3908
--- /dev/null
+++ b/classes/image-with-hardened-binaries.bbclass
@@ -0,0 +1,338 @@
+# Provide qa checks to ensure all applications and libraries shipped with the image
+# have common compiler security features enabled. In particular there are checks that:
+# * nx protection is enabled
+# * relro is enabled
+# * executables (except for static linked ones) are position independent
+# * rpath and runpath are not set
+
+IMAGE_QA_COMMANDS += "image_check_binary_hardening"
+
+DEPENDS += "python3-checksec.py-native"
+
+inherit python3native
+
+# Add mappings to the path mappers (which determines if a binary is a application or
+# shared library). To add a mapping append " /path/from/the/root/to/bin:{application,library,ignore}"
+# to the list
+HARDENED_BINARIES_EXTRA_MAPPING ?= ""
+
+# Config file in TOML format:
+# [check]
+# enabled = true
+# whitelist = [
+# "path to some binary",
+# "path to some other binary"
+# ]
+# supported checks are: nx, relro, pie, rpath, runpath
+HARDENED_BINARIES_CONFIG_FILE ?= ""
+
+# Custom message to show in case of a detected violation
+# For instace if you want to add whom to contact for support
+HARDENED_BINARIES_CUSTOM_ERROR_MESSAGE ?= ""
+
+# Path to libc used for foritfy source analysis. If fortify_source check is
+# not enabled, this variable can be ignored.
+HARDENED_BINARIES_LIBC_PATH ?= "${IMAGE_ROOTFS}${baselib}/libc.so.6"
+
+python image_check_binary_hardening () {
+ import fnmatch
+ import json
+ import os
+ import subprocess
+ import toml
+ from collections import defaultdict, OrderedDict
+ from enum import Enum, auto
+
+ from oe.utils import ImageQAFailed
+
+ rootfs = d.getVar("IMAGE_ROOTFS")
+
+ #################################
+ ## Data about supported checks ##
+ #################################
+
+ class BinType(Enum):
+ IGNORE = "ignore"
+ APPLICATION = "application"
+ LIBRARY = "library"
+
+ # Dict of checks to perform on the analysis result of checksec.py
+ # Each entry needs to contain the following attributes:
+ # - allowed_value: Value in the analysis result that should be accepted
+ # - bintypes: List of types on which the check shall be enforced (e.g. PIE check on libraries
+ # doesn't make much sense because PIE is only for executables)
+ # - errormsg: Message that should be prompted in case violators have been found
+ # - ignore_static: Indicates if statically linked applications should be ignored for that check
+ # Notes specific checks:
+ # - NX: Needs to be enforced on applications and libraries. This is because if only a single shared
+ # library doesn't use that, the whole process needs to have a executable stack.
+ # - RELRO: Statically linked applications do not make use of relocation, so this check would always
+ # fail for statically linked applications.
+ # - PIE: This check is only valid for applications (as in "position independent executable" for
+ # applications vs. "position independent code" (PIC) for shared libraries)
+ CHECK_DATA = {
+ "nx" : {
+ "allowed_value": True,
+ "bintypes": [BinType.APPLICATION, BinType.LIBRARY],
+ "errormsg":
+ "The following {} binaries do not use nx (not executable) protection. This mechanism is used " \
+ "to separate data from executable code. Disabling this mechanism is a security issue because " \
+ "this enables attackers to put code onto the stack. Please also note, if the nx protection is " \
+ "disabled in a shared library, all binary objects that link against this library will not be " \
+ "protected. This message usually appears if your binary is linked using the \"-z execstack\" " \
+ "flag.",
+ "ignore_static": False,
+ },
+ "relro": {
+ "allowed_value": "Full",
+ "bintypes": [BinType.APPLICATION, BinType.LIBRARY],
+ "errormsg":
+ "The following {} binaries do not make use of the relro (relocation read-only). This feature " \
+ "prevents attackers from modifying addresses of functions that are located in shared libraries " \
+ "(which is a common technique to exploit vulnerabilities). Due to this, not making use of this " \
+ "feature is a security issue. Please make sure your application is linked using " \
+ "\"-Wl,-z,relro,-z,now\". ",
+ "ignore_static": True,
+ },
+ "rpath": {
+ "allowed_value": False,
+ "bintypes": [BinType.APPLICATION, BinType.LIBRARY],
+ "errormsg":
+ "The following {} binaries are making use of the rpath feature. This can easily enable an attacker " \
+ "to get malicious code executed if there is some issue with the file permissions at the specified " \
+ "location. Due to this, the usage of this feature is generally discouraged and needs approval " \
+ "by the security team.",
+ "ignore_static": False,
+ },
+ "runpath": {
+ "allowed_value": False,
+ "bintypes": [BinType.APPLICATION, BinType.LIBRARY],
+ "errormsg":
+ "The following {} binaries are making use of the runpath feature. This can easily enable an attacker" \
+ " to get malicious code executed if there is some issue with the file permissions at the specified " \
+ "location. Due to this, the usage of this feature is generally discouraged and needs approval " \
+ "by the security team.",
+ "ignore_static": False,
+ },
+ "pie": {
+ "allowed_value": "PIE",
+ "bintypes": [BinType.APPLICATION],
+ "errormsg":
+ "The following {} applications are not compiled to be position independent executables (pie). This " \
+ "compiler feature compiles the code in a way that it can be mapped to any location in the virtual " \
+ "memory. Compiling the application this way is required to make use of the Address Space Layout " \
+ "Randomization (ASLR). This feature maps executable code to a random location, which means an " \
+ "attacker can not rely on the fact that a specific portion of code is mapped to a specific address. " \
+ "Please ensure that you application is compiled using \"-fPIE\".",
+ "ignore_static": True,
+ },
+ "canary": {
+ "allowed_value": True,
+ "bintypes": [BinType.APPLICATION, BinType.LIBRARY],
+ "errormsg":
+ "The following {} binaries seem to be not using stack canaries. These canaries are used to mitigate " \
+ "stack buffer overflows attacks. To do so the compiler adds checks to the end of a function to " \
+ "ensure that this function did not overwrite the stack frames of another function. Not using " \
+ "canaries may allow an attacker to exploit stack based buffer overflows by modifying the stack frame " \
+ "of other function calls (which simplifies exploiting such vulnerabilities a lot). Please make sure " \
+ "your components are compiled with the \"-fstack-protector-strong\" compile flag. Please note that " \
+ "there is a slight possibility for false-positives in this check: The compiler checks if a function " \
+ "needs canary protection or not. If there is no function that needs proctedtion in your binary, this " \
+ "check will fail anyway and the binary needs to be whitelisted.",
+ "ignore_static": False,
+ },
+ "fortify_source": {
+ "allowed_value": True,
+ "bintypes": [BinType.APPLICATION, BinType.LIBRARY],
+ "errormsg":
+ "The following {} binaries seem to be not using the fortify source feature. This feature protects " \
+ "(some, not all) calls to memory manipulations function like memcpy, strcpy or strcat by adding " \
+ "checks that prevent buffer overflows. These checks can prevent attackers from exploiting such a " \
+ "buffer overflow. Please make sure your component is compiled with \"-D_FORTIFY_SOURCE=2\". In " \
+ "addition the compiler optimizations need to be enabled with \"-O1\" or higher. Please note that " \
+ "there is a slight possibility for false positives here: Not all occurences of these mentioned " \
+ "memory calls that can not be protected they will appear as if_FORTIFY_SOURCE has not been set. " \
+ "In such a case the binary needs to be whitelisted.",
+ "ignore_static": False,
+ }
+ }
+
+ #################################
+ ## Parse data from config file ##
+ #################################
+
+ config_file = d.getVar("HARDENED_BINARIES_CONFIG_FILE", True)
+ if not config_file:
+ msg = "Hardend Binary Check: No config file specifed. Please create a config file and set " \
+ "the variable \"HARDENED_BINARIES_CONFIG_FILE\" accordingly"
+ raise ImageQAFailed(msg, image_check_binary_hardening)
+
+ CHECK_CONFIG_DATA = defaultdict(lambda: {"enabled": False})
+ CHECK_CONFIG_DATA.update(toml.load(config_file))
+
+ # Expand whitelisted paths with rootfs
+ for check, values in CHECK_CONFIG_DATA.items():
+ values["whitelist"] = [rootfs + x for x in values["whitelist"]]
+
+ ###############################################
+ ## Classes and functions to perform analysis ##
+ ###############################################
+
+ class PathMapping:
+ """ Class to map paths to BinTypes """
+ def __init__(self, rootfs):
+ self.rootfs = rootfs
+ self.mapping = OrderedDict()
+
+ self.add("/bin/*", BinType.APPLICATION)
+ self.add("/lib/firmware/*", BinType.IGNORE)
+ self.add("/lib/modules/*", BinType.IGNORE)
+ self.add("/lib/systemd/*.so", BinType.LIBRARY)
+ self.add("/lib/systemd/*", BinType.APPLICATION)
+ self.add("/lib/*", BinType.LIBRARY)
+ self.add("/sbin/*", BinType.APPLICATION)
+ self.add("/usr/bin/*", BinType.APPLICATION)
+ self.add("/usr/libexec/*", BinType.APPLICATION)
+ self.add("/usr/lib/firmware/*", BinType.IGNORE)
+ self.add("/usr/lib/modules/*", BinType.IGNORE)
+ self.add("/usr/lib/systemd/*.so", BinType.LIBRARY)
+ self.add("/usr/lib/systemd/*", BinType.APPLICATION)
+ self.add("/usr/lib/*", BinType.LIBRARY)
+ self.add("/usr/sbin/*", BinType.APPLICATION)
+
+
+ def add(self, path, bin_type):
+ """ Add mapping of a path to a FileyType """
+ self.mapping[self.rootfs + path] = bin_type
+
+ def map(self, path):
+ """ Map a path to a FilesType. Returns None if path can not be mapped. """
+ for match_path, bin_type in self.mapping.items():
+ if fnmatch.fnmatch(path, match_path):
+ return bin_type
+ else:
+ return None
+
+ def call_checksec(rootfs):
+ """ Wrapper to call the checksec.py script
+
+ This function returns a list of result dicts, e.g.:
+ [
+ ...,
+ "/bin/systemd-hwdb": {
+ "relro": "No",
+ "canary": true,
+ "nx": true,
+ "pie": "PIE",
+ "rpath": false,
+ "runpath": false,
+ "symbols": false,
+ "fortify_source": true,
+ "fortified": 5,
+ "fortify-able": 16,
+ "fortify_score": 31
+ }
+ ]
+
+ """
+ parallel_make = d.getVar("PARALLEL_MAKE")
+
+ cmd = ["python3", "-m", "checksec", "--json", "--recursive", "--ignore-symlinks"]
+ if parallel_make:
+ cmd.append(parallel_make.replace("-j", "--workers="))
+ if CHECK_CONFIG_DATA["foritfy_source"]["enabled"]:
+ libc_path = d.getVar("HARDENED_BINARIES_LIBC_PATH", True)
+ cmd.append("--set-libc={}".format(libc_path))
+ cmd.append(rootfs)
+
+ return json.loads(subprocess.check_output(cmd).decode('utf-8'))
+
+
+ class ResultAnalyzer:
+ """ Class to evaluate the results produced by checksec.py """
+ def __init__(self, rootfs):
+ self.rootfs = rootfs
+ self.violators = defaultdict(list)
+
+ @staticmethod
+ def __is_static(path):
+ """ Checks if binary at given path is statically linked """
+ return "statically linked" in subprocess.check_output(["file", path], stderr=subprocess.STDOUT).decode('utf-8')
+
+ def check_result(self, path, result, bintype):
+ """ Perfom checks specified in CHECK_DATA on the given analysis result (of a specific binary) """
+
+ for check, values in CHECK_DATA.items():
+ if CHECK_CONFIG_DATA[check]["enabled"] and bintype in values["bintypes"]:
+ for whitelisted in CHECK_CONFIG_DATA[check]["whitelist"]:
+ if fnmatch.fnmatch(path, whitelisted):
+ break
+ else:
+ if result[check] != values["allowed_value"] and \
+ (not values["ignore_static"] or not self.__is_static(path)):
+ self.violators[check].append(path)
+
+
+ def perform_analysis(rootfs):
+ """ Analyze all binaries in a given rootfs. In case a container shall be analyzed the absolute path to the container_path
+ rootfs needs to be passed.
+ """
+
+ # Add custom path mapping (for bins in non-standard locations)
+ path_mapping = PathMapping(rootfs)
+ extra_mapping = d.getVar("HARDENED_BINARIES_EXTRA_MAPPING")
+ if extra_mapping:
+ for mapping in extra_mapping.split():
+ try:
+ path, type = mapping.split(':')
+ except:
+ bb.error("Hardened Binary Checks: Got misformated extra mapping {}. Mapping needs to be " \
+ "in form: \"<path regex>:{application,library,ignore}\"".format(mapping))
+ raise
+ path_mapping.add(path, BinType(type))
+
+ # Perform analysis of complete rootfs
+ analysis_result = call_checksec(rootfs)
+
+ # Check analysis results and ensure that all we can actually map all binaries to a BinType
+ result_analyzer = ResultAnalyzer(rootfs)
+ unmapped_binaries = []
+ for path, result in analysis_result.items():
+ bintype = path_mapping.map(path)
+ if bintype in [BinType.APPLICATION, BinType.LIBRARY]:
+ result_analyzer.check_result(path, result, bintype)
+ elif bintype != BinType.IGNORE:
+ unmapped_binaries.append(path)
+
+ # To ensure that we analyze all the binaries lets break the build if we can not map binaries
+ if unmapped_binaries:
+ msg = "Hardend Binary Check: Couldn't figure out if the following files are applications " \
+ "or libraries. This is probably due to a non standard location for applications or " \
+ "libraries. If you think this is required add the mapping to " \
+ "HARDENED_BINARIES_EXTRA_MAPPING and/or contact mgu-security-frontdesk@..." \
+ "\nUnmapped:\n{}".format("\n".join(unmapped_binaries),
+ image_check_binary_hardening)
+ raise ImageQAFailed(msg, image_check_binary_hardening)
+
+ custom_error_message = d.getVar('HARDENED_BINARIES_CUSTOM_ERROR_MESSAGE')
+
+ # Break the build and show error message if we detected violators that are not whitelisted
+ errors = []
+ for check, violators in result_analyzer.violators.items():
+ if violators:
+ errormsg = CHECK_DATA[check]["errormsg"].format(len(violators))
+ errormsg += "\n{}".format("\n".join(violators))
+ if custom_error_message:
+ errormsg += "\n" + custom_error_message
+ errors.append(errormsg)
+
+ if errors:
+ raise ImageQAFailed("\n".join(errors), image_check_binary_hardening)
+
+ ##############################
+ ## Start analysis on rootfs ##
+ ##############################
+
+ perform_analysis(rootfs)
+
+}
diff --git a/recipes-devtools/python/files/python3-checksec.py/0001-main-Add-option-to-ignore-symlinks.patch b/recipes-devtools/python/files/python3-checksec.py/0001-main-Add-option-to-ignore-symlinks.patch
new file mode 100644
index 0000000..ae434bc
--- /dev/null
+++ b/recipes-devtools/python/files/python3-checksec.py/0001-main-Add-option-to-ignore-symlinks.patch
@@ -0,0 +1,81 @@
+From 182268203951750dcfb2c134354e801dea472e4c Mon Sep 17 00:00:00 2001
+From: Maximilian Blenk <Maximilian.Blenk@...>
+Date: Fri, 2 Jul 2021 14:42:25 +0200
+Subject: [PATCH 1/2] main: Add option to ignore symlinks
+
+When analyzing a complete rootfs (which might not be the rootfs of the
+analyzing system) symlinks within that rootfs might be broken. In
+particular absolute symlinks. However, if by chance such a symlink
+currently points to a valid binary in your system, this binary pointed
+to is analyzed. This commit adds the possibility to ignore symlinks to
+files (symlinks to dirs are already ignored by default). This allows to
+solve the issue described above, and if the whole rootfs is analyzed
+there shouldn't be a loss of information (because all the binaries will
+be analyzed anyway). Additionally, this also saves some time when
+performing the analysis.
+
+Upstream-Status: Submitted https://github.com/Wenzel/checksec.py/pull/106
+---
+ checksec/__main__.py | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+diff --git a/checksec/__main__.py b/checksec/__main__.py
+index 856d0b3..f1a3445 100644
+--- a/checksec/__main__.py
++++ b/checksec/__main__.py
+@@ -8,6 +8,7 @@ Options:
+ -w WORKERS --workers=WORKERS Specify the number of process pool workers [default: 4]
+ -j --json Display results as JSON
+ -s LIBC --set-libc=LIBC Specify LIBC library to use to check for fortify scores (ELF)
++ -i --ignore-symlinks Ignore symlinks to files
+ -d --debug Enable debug output
+ -h --help Display this message
+ """
+@@ -27,15 +28,15 @@ from .pe import PEChecksecData, PESecurity, is_pe
+ from .utils import lief_set_logging
+
+
+-def walk_filepath_list(filepath_list: List[Path], recursive: bool = False) -> Iterator[Path]:
++def walk_filepath_list(filepath_list: List[Path], recursive: bool = False, ignore_symlinks: bool = False) -> Iterator[Path]:
+ for path in filepath_list:
+ if path.is_dir() and not path.is_symlink():
+ if recursive:
+ for f in os.scandir(path):
+- yield from walk_filepath_list([Path(f)], recursive)
++ yield from walk_filepath_list([Path(f)], recursive, ignore_symlinks)
+ else:
+ yield from (Path(f) for f in os.scandir(path))
+- elif path.is_file():
++ elif path.is_file() and (not ignore_symlinks or not path.is_symlink()):
+ yield path
+
+
+@@ -72,6 +73,7 @@ def main(args):
+ json = args["--json"]
+ recursive = args["--recursive"]
+ libc_path = args["--set-libc"]
++ ignore_symlinks = args["--ignore-symlinks"]
+
+ # logging
+ formatter = "%(asctime)s %(levelname)s:%(name)s:%(message)s"
+@@ -107,7 +109,7 @@ def main(args):
+ # we need to consume the iterator once to get the total
+ # for the progress bar
+ check_output.enumerating_tasks_start()
+- count = sum(1 for i in walk_filepath_list(filepath_list, recursive))
++ count = sum(1 for i in walk_filepath_list(filepath_list, recursive, ignore_symlinks))
+ check_output.enumerating_tasks_stop(count)
+ with ProcessPoolExecutor(
+ max_workers=workers, initializer=worker_initializer, initargs=(libc_path,)
+@@ -116,7 +118,7 @@ def main(args):
+ check_output.processing_tasks_start()
+ future_to_checksec = {
+ pool.submit(checksec_file, filepath): filepath
+- for filepath in walk_filepath_list(filepath_list, recursive)
++ for filepath in walk_filepath_list(filepath_list, recursive, ignore_symlinks)
+ }
+ for future in as_completed(future_to_checksec):
+ filepath = future_to_checksec[future]
+--
+2.31.1
+
diff --git a/recipes-devtools/python/files/python3-checksec.py/0002-Elf-Fix-relro-detection.patch b/recipes-devtools/python/files/python3-checksec.py/0002-Elf-Fix-relro-detection.patch
new file mode 100644
index 0000000..a891c2b
--- /dev/null
+++ b/recipes-devtools/python/files/python3-checksec.py/0002-Elf-Fix-relro-detection.patch
@@ -0,0 +1,51 @@
+From f550777f35e178bc16a2ec612b2b39aa2c3946f2 Mon Sep 17 00:00:00 2001
+From: Maximilian Blenk <Maximilian.Blenk@...>
+Date: Fri, 2 Jul 2021 16:16:47 +0200
+Subject: [PATCH 2/2] Elf: Fix relro detection
+
+Currently, relro is only detected when the BIND_NOW is set. If however
+the NOW flag in the FLAGS_1 section is set, relro is not detected (it
+does not even tell that relro is enabled partially). With this commit
+relro is detected correctly.
+
+Upstream-Status: Submitted https://github.com/Wenzel/checksec.py/pull/107
+---
+ checksec/elf.py | 19 +++++++++++++++----
+ 1 file changed, 15 insertions(+), 4 deletions(-)
+
+diff --git a/checksec/elf.py b/checksec/elf.py
+index 78ecacc..ef1850c 100644
+--- a/checksec/elf.py
++++ b/checksec/elf.py
+@@ -118,13 +118,24 @@ class ELFSecurity(BinarySecurity):
+ def relro(self) -> RelroType:
+ try:
+ self.bin.get(lief.ELF.SEGMENT_TYPES.GNU_RELRO)
+- if lief.ELF.DYNAMIC_FLAGS.BIND_NOW in self.bin.get(lief.ELF.DYNAMIC_TAGS.FLAGS):
+- return RelroType.Full
+- else:
+- return RelroType.Partial
+ except lief.not_found:
+ return RelroType.No
+
++ try:
++ bind_now = lief.ELF.DYNAMIC_FLAGS.BIND_NOW in self.bin.get(lief.ELF.DYNAMIC_TAGS.FLAGS)
++ except lief.not_found:
++ bind_now = False
++
++ try:
++ now = lief.ELF.DYNAMIC_FLAGS_1.NOW in self.bin.get(lief.ELF.DYNAMIC_TAGS.FLAGS_1)
++ except lief.not_found:
++ now = False
++
++ if bind_now or now:
++ return RelroType.Full
++ else:
++ return RelroType.Partial
++
+ @property
+ def has_canary(self) -> bool:
+ canary_sections = ["__stack_chk_fail", "__intel_security_cookie"]
+--
+2.31.1
+
diff --git a/recipes-devtools/python/files/python3-checksec.py/0003-fortify-source-check-Treat-binaries-with-0-fortifiab.patch b/recipes-devtools/python/files/python3-checksec.py/0003-fortify-source-check-Treat-binaries-with-0-fortifiab.patch
new file mode 100644
index 0000000..0351f84
--- /dev/null
+++ b/recipes-devtools/python/files/python3-checksec.py/0003-fortify-source-check-Treat-binaries-with-0-fortifiab.patch
@@ -0,0 +1,33 @@
+From 8de048c0065f8c5890d9e04ef2b32306e2ac4f8c Mon Sep 17 00:00:00 2001
+From: Maximilian Blenk <Maximilian.Blenk@...>
+Date: Thu, 5 Aug 2021 15:21:58 +0200
+Subject: [PATCH] fortify source check: Treat binaries with 0 fortifiable as
+ fortified
+
+Currently, if checksec.py detects 0 fortifiable instances it still
+treats the binary as not fortified. Semtically it would make sense to
+treat these binaries as fortified (because there is no evidence that it
+is not)
+
+Upstream-Status: Submitted https://github.com/Wenzel/checksec.py/pull/109
+---
+ checksec/elf.py | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/checksec/elf.py b/checksec/elf.py
+index ef1850c..5914135 100644
+--- a/checksec/elf.py
++++ b/checksec/elf.py
+@@ -229,8 +229,7 @@ class ELFSecurity(BinarySecurity):
+ else:
+ score = (fortified_count * 100) / fortifiable_count
+ score = round(score)
+-
+- fortify_source = True if fortified_count != 0 else False
++ fortify_source = True if fortified_count != 0 or fortifiable_count == 0 else False
+ return ELFChecksecData(
+ relro=self.relro,
+ canary=self.has_canary,
+--
+2.31.1
+
diff --git a/recipes-devtools/python/files/python3-lief/0001-Enable-to-use-pre-compiled-version-of-spdlog.patch b/recipes-devtools/python/files/python3-lief/0001-Enable-to-use-pre-compiled-version-of-spdlog.patch
new file mode 100644
index 0000000..af94cfa
--- /dev/null
+++ b/recipes-devtools/python/files/python3-lief/0001-Enable-to-use-pre-compiled-version-of-spdlog.patch
@@ -0,0 +1,154 @@
+From d2ad8f6108c750c3dbd33ee6d4e4c94ada748b8a Mon Sep 17 00:00:00 2001
+From: Romain Thomas <me@...>
+Date: Mon, 3 May 2021 11:25:49 +0200
+Subject: [PATCH] Enable to use pre-compiled version of spdlog
+
+---
+ CMakeLists.txt | 8 ++++----
+ cmake/LIEFDependencies.cmake | 36 +++++++++++++++++++++++-------------
+ cmake/LIEFOptions.cmake | 4 ++++
+ setup.py | 17 +++++++++++++++++
+ 4 files changed, 48 insertions(+), 17 deletions(-)
+
+diff --git a/CMakeLists.txt b/CMakeLists.txt
+index d1665cd..b92519a 100644
+--- a/CMakeLists.txt
++++ b/CMakeLists.txt
+@@ -307,8 +307,7 @@ source_group("mbedtls\\tls" FILES ${mbedtls_src_tls})
+ # Library definition
+ # ==================
+ target_include_directories(
+- LIB_LIEF SYSTEM PRIVATE "${SPDLOG_SOURCE_DIR}/include"
+- "${MBEDTLS_INCLUDE_DIRS}")
++ LIB_LIEF SYSTEM PRIVATE "${MBEDTLS_INCLUDE_DIRS}")
+
+ target_include_directories(
+ LIB_LIEF
+@@ -355,7 +354,8 @@ target_sources(LIB_LIEF PRIVATE
+ ${CMAKE_CURRENT_BINARY_DIR}/include/LIEF/third-party/utfcpp/utf8.h)
+
+
+-add_dependencies(LIB_LIEF lief_spdlog lief_mbed_tls)
++add_dependencies(LIB_LIEF lief_mbed_tls)
++target_link_libraries(LIB_LIEF PRIVATE lief_spdlog)
+
+ # Flags definition
+ # ----------------
+@@ -626,7 +626,7 @@ install(
+ DESTINATION lib/pkgconfig
+ COMPONENT libraries)
+
+-export(TARGETS LIB_LIEF FILE LIEFExport.cmake)
++export(TARGETS LIB_LIEF lief_spdlog FILE LIEFExport.cmake)
+
+ # Package
+ # ======================
+diff --git a/cmake/LIEFDependencies.cmake b/cmake/LIEFDependencies.cmake
+index e75326f..37e6987 100644
+--- a/cmake/LIEFDependencies.cmake
++++ b/cmake/LIEFDependencies.cmake
+@@ -144,21 +144,31 @@ set(mbedtls_src_tls
+ "${MBEDTLS_SOURCE_DIR}/library/ssl_tls13_keys.c"
+ )
+
+-#set_source_files_properties("${MBEDTLS_SOURCE_DIR}/library/bignum.c" PROPERTIES COMPILE_FLAGS -Wno-overlength-strings)
++add_library(lief_spdlog INTERFACE)
+
+-set(SPDLOG_VERSION 1.8.2)
+-set(SPDLOG_SHA256 SHA256=f0410b12b526065802b40db01304783550d3d20b4b6fe2f8da55f9d08ed2035d)
+-set(SPDLOG_URL "${THIRD_PARTY_DIRECTORY}/spdlog-${SPDLOG_VERSION}.zip" CACHE STRING "URL to the spdlog lib repo")
+-ExternalProject_Add(lief_spdlog
+- URL ${SPDLOG_URL}
+- URL_HASH ${SPDLOG_SHA256}
+- CONFIGURE_COMMAND ""
+- BUILD_COMMAND ""
+- UPDATE_COMMAND ""
+- INSTALL_COMMAND "")
++if(LIEF_EXTERNAL_SPDLOG)
++ find_package(spdlog REQUIRED)
++ list(APPEND CMAKE_MODULE_PATH "${SPDLOG_DIR}/cmake")
++ target_link_libraries(lief_spdlog INTERFACE spdlog::spdlog)
++ get_target_property(SPDLOG_INC_DIR spdlog::spdlog INTERFACE_INCLUDE_DIRECTORIES)
++ target_include_directories(lief_spdlog SYSTEM INTERFACE ${SPDLOG_INC_DIR})
++else()
++ set(SPDLOG_VERSION 1.8.2)
++ set(SPDLOG_SHA256 SHA256=f0410b12b526065802b40db01304783550d3d20b4b6fe2f8da55f9d08ed2035d)
++ set(SPDLOG_URL "${THIRD_PARTY_DIRECTORY}/spdlog-${SPDLOG_VERSION}.zip" CACHE STRING "URL to the spdlog source")
++ ExternalProject_Add(lief_spdlog_project
++ URL ${SPDLOG_URL}
++ URL_HASH ${SPDLOG_SHA256}
++ CONFIGURE_COMMAND ""
++ BUILD_COMMAND ""
++ UPDATE_COMMAND ""
++ INSTALL_COMMAND "")
+
+-ExternalProject_get_property(lief_spdlog SOURCE_DIR)
+-set(SPDLOG_SOURCE_DIR "${SOURCE_DIR}")
++ ExternalProject_get_property(lief_spdlog_project SOURCE_DIR)
++ set(SPDLOG_SOURCE_DIR "${SOURCE_DIR}")
++ add_dependencies(lief_spdlog lief_spdlog_project)
++ target_include_directories(lief_spdlog SYSTEM INTERFACE ${SPDLOG_SOURCE_DIR}/include)
++endif()
+
+ # Fuzzing
+ # ~~~~~~~
+diff --git a/cmake/LIEFOptions.cmake b/cmake/LIEFOptions.cmake
+index fd6df6c..3bb92c3 100644
+--- a/cmake/LIEFOptions.cmake
++++ b/cmake/LIEFOptions.cmake
+@@ -45,6 +45,10 @@ option(LIEF_PROFILING "Enable performance profiling" OFF)
+ cmake_dependent_option(LIEF_INSTALL_COMPILED_EXAMPLES "Install LIEF Compiled examples" OFF
+ "LIEF_EXAMPLES" OFF)
+
++# Use a user-provided version of spdlog
++# It can be useful to reduce compile time
++option(LIEF_EXTERNAL_SPDLOG OFF)
++
+ set(LIEF_ELF_SUPPORT 0)
+ set(LIEF_PE_SUPPORT 0)
+ set(LIEF_MACHO_SUPPORT 0)
+diff --git a/setup.py b/setup.py
+index b915180..ad70bd8 100644
+--- a/setup.py
++++ b/setup.py
+@@ -45,6 +45,10 @@ class LiefDistribution(setuptools.Distribution):
+ ('lief-no-vdex', None, 'Disable VDEX module'),
+ ('lief-no-oat', None, 'Disable OAT module'),
+ ('lief-no-dex', None, 'Disable DEX module'),
++
++ ('lief-no-cache', None, 'Do not use compiler cache (ccache)'),
++
++ ('spdlog-dir=', None, 'Path to the directory that contains spdlogConfig.cmake'),
+ ]
+
+ def __init__(self, attrs=None):
+@@ -66,6 +70,10 @@ class LiefDistribution(setuptools.Distribution):
+
+ self.lief_no_android = False
+ self.doc = False
++
++ self.lief_no_cache = False
++
++ self.spdlog_dir = None
+ super().__init__(attrs)
+
+
+@@ -154,6 +162,15 @@ class BuildLibrary(build_ext):
+ else:
+ cmake_args += ["-DLIEF_LOGGING_DEBUG=off"]
+
++ if self.distribution.lief_no_cache:
++ cmake_args += ["-DLIEF_USE_CCACHE=off"]
++
++ # Setup spdlog configuration flags if
++ # the user provides --spdlog-dir
++ if self.distribution.spdlog_dir is not None:
++ cmake_args.append("-DLIEF_EXTERNAL_SPDLOG=ON")
++ cmake_args.append("-Dspdlog_DIR={}".format(self.distribution.spdlog_dir))
++
+ # Main formats
+ # ============
+ if self.distribution.lief_no_elf:
+--
+2.31.1
+
diff --git a/recipes-devtools/python/python3-asttokens_2.0.5.bb b/recipes-devtools/python/python3-asttokens_2.0.5.bb
new file mode 100644
index 0000000..7ac2052
--- /dev/null
+++ b/recipes-devtools/python/python3-asttokens_2.0.5.bb
@@ -0,0 +1,15 @@
+SUMMARY = "Annotate AST trees with source code positions"
+HOMEPAGE = "https://github.com/gristlabs/asttokens"
+AUTHOR = "Dmitry Sagalovskiy, Grist Labs <dmitry@...>"
+LICENSE = "Apache-2.0"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=e3fc50a88d0a364313df4b21ef20c29e"
+
+SRC_URI[md5sum] = "0a2a057b9c9a220bffdb3e7512062f17"
+SRC_URI[sha256sum] = "9a54c114f02c7a9480d56550932546a3f1fe71d8a02f1bc7ccd0ee3ee35cf4d5"
+
+RDEPENDS_${PN} = "python3-six"
+DEPENDS += "python3-setuptools-scm python3-toml"
+
+inherit pypi setuptools3
+
+BBCLASSEXTEND += "native"
diff --git a/recipes-devtools/python/python3-checksec.py-native_0.6.1.bb b/recipes-devtools/python/python3-checksec.py-native_0.6.1.bb
new file mode 100644
index 0000000..edce0a6
--- /dev/null
+++ b/recipes-devtools/python/python3-checksec.py-native_0.6.1.bb
@@ -0,0 +1,31 @@
+SUMMARY = "Tool to verify the security properties of binaries"
+DESCRIPTION = "checksec.py is a tool verify if certain compiler flags \
+ have been enabled on compield applications and libraries."
+HOMEPAGE = "https://github.com/Wenzel/checksec.py"
+BUGTRACKER = "https://github.com/Wenzel/checksec.py/issues"
+SECTION = "devel/python"
+
+LICENSE = "GPL-3.0"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=1ebbd3e34237af26da5dc08a4e440464"
+
+RDEPENDS_${PN} += " \
+ python3-docopt-native \
+ python3-lief-native \
+ python3-pylddwrap-native \
+ python3-rich-native \
+ "
+
+# Needs to be pulled from github becuase pypi package is currently broken
+SRC_URI = " \
+ git://github.com/Wenzel/checksec.py.git;protocol=https;branch=master \
+ file://python3-checksec.py/0001-main-Add-option-to-ignore-symlinks.patch \
+ file://python3-checksec.py/0002-Elf-Fix-relro-detection.patch \
+ file://python3-checksec.py/0003-fortify-source-check-Treat-binaries-with-0-fortifiab.patch \
+ "
+
+SRCREV = "4335ecd08f6ee13ff4ca9b01e83857ae6a8074e9"
+
+S="${WORKDIR}/git"
+
+inherit setuptools3 native
+
diff --git a/recipes-devtools/python/python3-colorama_%.bbappend b/recipes-devtools/python/python3-colorama_%.bbappend
new file mode 100644
index 0000000..d6f5869
--- /dev/null
+++ b/recipes-devtools/python/python3-colorama_%.bbappend
@@ -0,0 +1 @@
+BBCLASSEXTEND += "native"
diff --git a/recipes-devtools/python/python3-commonmark_0.9.1.bb b/recipes-devtools/python/python3-commonmark_0.9.1.bb
new file mode 100644
index 0000000..a35abc3
--- /dev/null
+++ b/recipes-devtools/python/python3-commonmark_0.9.1.bb
@@ -0,0 +1,14 @@
+SUMMARY = "Python parser for the CommonMark Markdown spec"
+HOMEPAGE = "https://github.com/rtfd/commonmark.py"
+AUTHOR = "Bibek Kafle <bkafle662@...>, Roland Shoemaker <rolandshoemaker@...>"
+LICENSE = "BSD-3-Clause"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=37e127eb75a030780aefcfc584e78523"
+
+SRC_URI[md5sum] = "cd1dc70c4714d9ed4117a40490c25e00"
+SRC_URI[sha256sum] = "452f9dc859be7f06631ddcb328b6919c67984aca654e5fefb3914d54691aed60"
+
+S = "${WORKDIR}/commonmark-0.9.1"
+
+inherit pypi setuptools3
+
+BBCLASSEXTEND += "native"
diff --git a/recipes-devtools/python/python3-docopt_0.6.2.bb b/recipes-devtools/python/python3-docopt_0.6.2.bb
new file mode 100644
index 0000000..c1b111a
--- /dev/null
+++ b/recipes-devtools/python/python3-docopt_0.6.2.bb
@@ -0,0 +1,18 @@
+
+SUMMARY = "Pythonic argument parser, that will make you smile"
+HOMEPAGE = "http://docopt.org"
+AUTHOR = "Vladimir Keleshev <vladimir@...>"
+LICENSE = "MIT"
+LIC_FILES_CHKSUM = "file://LICENSE-MIT;md5=09b77fb74986791a3d4a0e746a37d88f"
+
+SRC_URI = "https://github.com/docopt/docopt/archive/refs/tags/${PV}.tar.gz"
+SRC_URI[md5sum] = "a6c44155426fd0f7def8b2551d02fef6"
+SRC_URI[sha256sum] = "2113eed1e7fbbcd43fb7ee6a977fb02d0b482753586c9dc1a8e3b7d541426e99"
+
+S = "${WORKDIR}/docopt-0.6.2"
+
+RDEPENDS_${PN} = ""
+
+inherit setuptools3
+
+BBCLASSEXTEND += "native"
diff --git a/recipes-devtools/python/python3-icontract_2.5.3.bb b/recipes-devtools/python/python3-icontract_2.5.3.bb
new file mode 100644
index 0000000..88ac2ef
--- /dev/null
+++ b/recipes-devtools/python/python3-icontract_2.5.3.bb
@@ -0,0 +1,14 @@
+SUMMARY = "Provide design-by-contract with informative violation messages."
+HOMEPAGE = "https://github.com/Parquery/icontract"
+AUTHOR = "Marko Ristin <marko.ristin@...>"
+LICENSE = "MIT"
+LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=1d4a9b1f6b84bedf7a38843931e0dd57"
+
+SRC_URI[md5sum] = "6f41b9b84e4405374c160836587b3235"
+SRC_URI[sha256sum] = "b790101c8cc0d9df0105d852a645373c4d90d5049391b6e54db32a0acb4bccd7"
+
+inherit pypi setuptools3
+
+RDEPENDS_${PN} += "python3-asttokens"
+
+BBCLASSEXTEND += "native"
diff --git a/recipes-devtools/python/python3-lief_0.11.5.bb b/recipes-devtools/python/python3-lief_0.11.5.bb
new file mode 100644
index 0000000..5e4b422
--- /dev/null
+++ b/recipes-devtools/python/python3-lief_0.11.5.bb
@@ -0,0 +1,36 @@
+SUMMARY = "Library to instrument executable formats"
+DESCRIPTION = " \
+ This project provides a cross platform library which can parse, modify \
+ and abstract ELF, PE and MachO formats. \
+ "
+SECTION = "devel/python"
+HOMEPAGE = "https://github.com/lief-project/LIEF"
+LICENSE = "APACHE-2.0"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=1809bd489c3dae63aa0cb70070dc308e"
+
+SRC_URI = " \
+ https://github.com/lief-project/LIEF/releases/download/${PV}/lief-${PV}.zip \
+ file://python3-lief/0001-Enable-to-use-pre-compiled-version-of-spdlog.patch \
+ "
+SRC_URI[sha256sum] = "947825134d5dab91df218bb201fa4551814f1da0a47e4a890283716b800c8e8f"
+
+S = "${WORKDIR}/lief-${PV}"
+
+inherit setuptools3
+
+DEPENDS += "cmake-native"
+
+BBCLASSEXTEND += "native"
+
+DISTUTILS_BUILD_ARGS += " ${PARALLEL_MAKE} "
+
+do_compile() {
+ # From distutils3.bbclass (needs to be modified here to avoid usage of ccache)
+ cd ${DISTUTILS_SETUP_PATH}
+ NO_FETCH_BUILD=1 \
+ STAGING_INCDIR=${STAGING_INCDIR} \
+ STAGING_LIBDIR=${STAGING_LIBDIR} \
+ ${STAGING_BINDIR_NATIVE}/${PYTHON_PN}-native/${PYTHON_PN} setup.py \
+ --lief-no-cache build --build-base=${B} ${DISTUTILS_BUILD_ARGS} || \
+ bbfatal_log "'${PYTHON_PN} setup.py --lief-no-cache build ${DISTUTILS_BUILD_ARGS}' execution failed."
+}
diff --git a/recipes-devtools/python/python3-pylddwrap_1.0.1.bb b/recipes-devtools/python/python3-pylddwrap_1.0.1.bb
new file mode 100644
index 0000000..985c424
--- /dev/null
+++ b/recipes-devtools/python/python3-pylddwrap_1.0.1.bb
@@ -0,0 +1,21 @@
+SUMMARY = "Python wrapper for ldd"
+DESCRIPTION = " \
+ Pylddwrap wraps ldd *nix utility to determine shared libraries required by a program. \
+ "
+SECTION = "devel/python"
+HOMEPAGE = "https://github.com/Parquery/pylddwrap"
+LICENSE = "MIT"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=48fd6c978d39a38b3a04f45a1456d0fa"
+
+SRC_URI[sha256sum] = "171a39fc7feb33e607706c57c08373ceb2f6fd4362af9241ccc65e80c948ccdf"
+
+inherit pypi setuptools3
+
+RDEPENDS_${PN} += "python3-icontract"
+
+do_install_append() {
+ rm -f "${D}/${datadir}/requirements.txt"
+ rm -f "${D}/${datadir}/README.rst"
+}
+
+BBCLASSEXTEND += "native"
diff --git a/recipes-devtools/python/python3-rich_7.1.0.bb b/recipes-devtools/python/python3-rich_7.1.0.bb
new file mode 100644
index 0000000..59c26a4
--- /dev/null
+++ b/recipes-devtools/python/python3-rich_7.1.0.bb
@@ -0,0 +1,16 @@
+SUMMARY = "Render rich text, tables, progress bars, syntax highlighting, markdown and more to the terminal"
+HOMEPAGE = "https://github.com/willmcgugan/rich"
+AUTHOR = "Will McGugan <willmcgugan@...>"
+LICENSE = "MIT"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=d0d35d5357392e5bfeb0d0a7e6ba4d83"
+
+SRC_URI[md5sum] = "25daeefa226770a84b98c591069b419c"
+SRC_URI[sha256sum] = "ff701be541be32bcf46e821487c00bf4fa560aa814fc3cc9b3d514fd9b19a6f6"
+
+S = "${WORKDIR}/rich-7.1.0"
+
+RDEPENDS_${PN} = "python3-typing-extensions python3-pygments python3-commonmark python3-colorama"
+
+inherit pypi setuptools3
+
+BBCLASSEXTEND += "native"
diff --git a/recipes-devtools/python/python3-setuptools-scm_6.0.1.bb b/recipes-devtools/python/python3-setuptools-scm_6.0.1.bb
new file mode 100644
index 0000000..234694e
--- /dev/null
+++ b/recipes-devtools/python/python3-setuptools-scm_6.0.1.bb
@@ -0,0 +1,17 @@
+SUMMARY = "the blessed package to manage your versions by scm tags"
+HOMEPAGE = "https://github.com/pypa/setuptools_scm/"
+AUTHOR = "Ronny Pfannschmidt <opensource@...>"
+LICENSE = "MIT"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=838c366f69b72c5df05c96dff79b35f2"
+
+SRC_URI = "git://github.com/pypa/setuptools_scm.git;protocol=https;branch=main;tag=v${PV}"
+
+SRC_URI[sha256sum] = "8f85bfc7272fb5c04df28f00bde9db8f862c586d25fa155eea90fe62ea6a3302"
+
+RDEPENDS_${PN} = "python3-setuptools"
+
+inherit setuptools3
+
+S = "${WORKDIR}/git"
+
+BBCLASSEXTEND += "native"
diff --git a/recipes-devtools/python/python3-toml_%.bbappend b/recipes-devtools/python/python3-toml_%.bbappend
new file mode 100644
index 0000000..d6f5869
--- /dev/null
+++ b/recipes-devtools/python/python3-toml_%.bbappend
@@ -0,0 +1 @@
+BBCLASSEXTEND += "native"



Re: [meta-mingw] [PATCH] grpc: remove nl2 requirement since it is optional

Joshua Watt
 



On Sat, Aug 21, 2021, 6:26 AM Richard Purdie <richard.purdie@...> wrote:
On Fri, 2021-08-20 at 20:46 +0000, Sinan Kaya wrote:
> Signed-off-by: Sinan Kaya <okaya@...>
> ---
>  .../openembedded-layers/recipes-devtools/grpc/grpc_%.bbappend  | 3 +++
>  1 file changed, 3 insertions(+)
>
> diff --git a/dynamic-layers/openembedded-layers/recipes-devtools/grpc/grpc_%.bbappend b/dynamic-layers/openembedded-layers/recipes-devtools/grpc/grpc_%.bbappend
> index a72496d..dc0ea42 100644
> --- a/dynamic-layers/openembedded-layers/recipes-devtools/grpc/grpc_%.bbappend
> +++ b/dynamic-layers/openembedded-layers/recipes-devtools/grpc/grpc_%.bbappend
> @@ -1,2 +1,5 @@
> +# doesn't build and not required
> +DEPENDS:remove:mingw32 = "libnsl2"
> +
>  EXTRA_OECMAKE:remove:mingw32 = "-DBUILD_SHARED_LIBS=ON"
>  EXTRA_OECMAKE:append:mingw32 = " -DBUILD_SHARED_LIBS=OFF"

Should we be making that a PACKAGECONFIG which mingw32 could change?

Yes, that's a good idea. Sinan, please make that change in meta-oe, then change this patch to remove it from PACKAGECONFIG


Cheers,

Richard


Re: [meta-mingw] [PATCH] grpc: remove nl2 requirement since it is optional

Richard Purdie
 

On Fri, 2021-08-20 at 20:46 +0000, Sinan Kaya wrote:
Signed-off-by: Sinan Kaya <okaya@...>
---
.../openembedded-layers/recipes-devtools/grpc/grpc_%.bbappend | 3 +++
1 file changed, 3 insertions(+)

diff --git a/dynamic-layers/openembedded-layers/recipes-devtools/grpc/grpc_%.bbappend b/dynamic-layers/openembedded-layers/recipes-devtools/grpc/grpc_%.bbappend
index a72496d..dc0ea42 100644
--- a/dynamic-layers/openembedded-layers/recipes-devtools/grpc/grpc_%.bbappend
+++ b/dynamic-layers/openembedded-layers/recipes-devtools/grpc/grpc_%.bbappend
@@ -1,2 +1,5 @@
+# doesn't build and not required
+DEPENDS:remove:mingw32 = "libnsl2"
+
EXTRA_OECMAKE:remove:mingw32 = "-DBUILD_SHARED_LIBS=ON"
EXTRA_OECMAKE:append:mingw32 = " -DBUILD_SHARED_LIBS=OFF"
Should we be making that a PACKAGECONFIG which mingw32 could change?

Cheers,

Richard


[meta-mingw] [PATCH] grpc: remove nl2 requirement since it is optional

Sinan Kaya <okaya@...>
 

Signed-off-by: Sinan Kaya <okaya@...>
---
.../openembedded-layers/recipes-devtools/grpc/grpc_%.bbappend | 3 +++
1 file changed, 3 insertions(+)

diff --git a/dynamic-layers/openembedded-layers/recipes-devtools/grpc/grpc_%.bbappend b/dynamic-layers/openembedded-layers/recipes-devtools/grpc/grpc_%.bbappend
index a72496d..dc0ea42 100644
--- a/dynamic-layers/openembedded-layers/recipes-devtools/grpc/grpc_%.bbappend
+++ b/dynamic-layers/openembedded-layers/recipes-devtools/grpc/grpc_%.bbappend
@@ -1,2 +1,5 @@
+# doesn't build and not required
+DEPENDS:remove:mingw32 = "libnsl2"
+
EXTRA_OECMAKE:remove:mingw32 = "-DBUILD_SHARED_LIBS=ON"
EXTRA_OECMAKE:append:mingw32 = " -DBUILD_SHARED_LIBS=OFF"
--
2.17.1


[meta-mingw] [PATCH 2/2] c-ares: disable shared build as it is broken

Sinan Kaya <okaya@...>
 

Signed-off-by: Sinan Kaya <okaya@...>
---
.../recipes-support/c-ares/c-ares_%.bbappend | 2 ++
1 file changed, 2 insertions(+)
create mode 100644 dynamic-layers/openembedded-layers/recipes-support/c-ares/c-ares_%.bbappend

diff --git a/dynamic-layers/openembedded-layers/recipes-support/c-ares/c-ares_%.bbappend b/dynamic-layers/openembedded-layers/recipes-support/c-ares/c-ares_%.bbappend
new file mode 100644
index 0000000..8ef58f9
--- /dev/null
+++ b/dynamic-layers/openembedded-layers/recipes-support/c-ares/c-ares_%.bbappend
@@ -0,0 +1,2 @@
+EXTRA_OECMAKE:append:mingw32 = "-DCARES_SHARED=OFF"
+EXTRA_OECMAKE:append:mingw32 = "-DCARES_STATIC=ON"
--
2.17.1


[meta-mingw] [PATCH 1/2] re2: disable shared build as it is broken

Sinan Kaya <okaya@...>
 

Signed-off-by: Sinan Kaya <okaya@...>
---
.../openembedded-layers/recipes-support/re2/re2_%.bbappend | 2 ++
1 file changed, 2 insertions(+)
create mode 100644 dynamic-layers/openembedded-layers/recipes-support/re2/re2_%.bbappend

diff --git a/dynamic-layers/openembedded-layers/recipes-support/re2/re2_%.bbappend b/dynamic-layers/openembedded-layers/recipes-support/re2/re2_%.bbappend
new file mode 100644
index 0000000..16bb5a0
--- /dev/null
+++ b/dynamic-layers/openembedded-layers/recipes-support/re2/re2_%.bbappend
@@ -0,0 +1,2 @@
+EXTRA_OECMAKE:remove:mingw32 = "-DBUILD_SHARED_LIBS=ON"
+EXTRA_OECMAKE:append:mingw32 = "-DBUILD_SHARED_LIBS=OFF"
--
2.17.1

2881 - 2900 of 57387