| Message ID | 20220118130752.3463023-1-michael.opdenacker@bootlin.com |
|---|---|
| State | Accepted |
| Commit | d8573e8a36eef61be1c9e7706c38ed28ca4c9962 |
| Headers | show |
| Series | migration-3.5: mention task specific network access | expand |
On Tue, 2022-01-18 at 14:07 +0100, Michael Opdenacker wrote: > Signed-off-by: Michael Opdenacker <michael.opdenacker@bootlin.com> > --- > documentation/migration-guides/migration-3.5.rst | 12 ++++++++++++ > 1 file changed, 12 insertions(+) > > diff --git a/documentation/migration-guides/migration-3.5.rst b/documentation/migration-guides/migration-3.5.rst > index bd807eb8c7..df15487b10 100644 > --- a/documentation/migration-guides/migration-3.5.rst > +++ b/documentation/migration-guides/migration-3.5.rst > @@ -22,6 +22,18 @@ Recipe changes > recipes now need to use ``;protocol=https`` at the end of GitHub > URLs. The same script as above can be used to convert the recipes. > > +- Network access from tasks is now disabled by default on kernels which support > + this feature (on most recent distros such as CentOS 8 and Debian 11 onwards). > + This means that tasks accessing the network need to be marked as such with the ``network`` > + flag. For example:: > + > + do_mytask[network] = "1" > + > + This is allowed by default from ``do_fetch`` but not from any of our other standard > + tasks. Recipes shouldn't be accessing the network outside of ``do_fetch`` as it > + usually undermines fetcher source mirroring, image and licence manifests, software > + auditing and supply chain security. > + > - The :term:`TOPDIR` variable and the current working directory are no longer modified > when parsing recipes. Any code depending on that behaviour will no longer work. Looks good to me, thanks! Cheers, Richard
diff --git a/documentation/migration-guides/migration-3.5.rst b/documentation/migration-guides/migration-3.5.rst index bd807eb8c7..df15487b10 100644 --- a/documentation/migration-guides/migration-3.5.rst +++ b/documentation/migration-guides/migration-3.5.rst @@ -22,6 +22,18 @@ Recipe changes recipes now need to use ``;protocol=https`` at the end of GitHub URLs. The same script as above can be used to convert the recipes. +- Network access from tasks is now disabled by default on kernels which support + this feature (on most recent distros such as CentOS 8 and Debian 11 onwards). + This means that tasks accessing the network need to be marked as such with the ``network`` + flag. For example:: + + do_mytask[network] = "1" + + This is allowed by default from ``do_fetch`` but not from any of our other standard + tasks. Recipes shouldn't be accessing the network outside of ``do_fetch`` as it + usually undermines fetcher source mirroring, image and licence manifests, software + auditing and supply chain security. + - The :term:`TOPDIR` variable and the current working directory are no longer modified when parsing recipes. Any code depending on that behaviour will no longer work.
Signed-off-by: Michael Opdenacker <michael.opdenacker@bootlin.com> --- documentation/migration-guides/migration-3.5.rst | 12 ++++++++++++ 1 file changed, 12 insertions(+)