| Message ID | 20260207004109.2880231-1-johannes.schneider@leica-geosystems.com |
|---|---|
| State | New |
| Headers | show |
| Series | meta-arm: fixup new override syntax usage | expand |
On Sat, Feb 07, 2026 at 12:41:09AM +0000, Johannes Schneider via lists.yoctoproject.org wrote: > The placing of ' ' in combination with inline python variable > expansion can lead to missing/skipping the license file checksum > verification. This technique is relied upon in so many places, the issue would have been noticed long ago, if it was the case. > Fix this by using '+=' (which itself adds a space) instead of :append > (which concatenates strings without inserting a space) > > Fixes: 8dfdacd75c6c ("meta-arm: Convert to new override syntax") > Signed-off-by: Johannes Schneider <johannes.schneider@leica-geosystems.com> > > --- > > By chance we had an incorrect checksum set as > meta-geosurv-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a-leica_2.13.bb > LIC_FILES_CHKSUM += "file://docs/license.rst;md5=83b7626b8c7a37263c6a58af8d19bee1" > > Which 'bitbake -e' would resolve correctly: > > # $LIC_FILES_CHKSUM [3 operations] > # set /workspace/layers/openembedded-core/meta/conf/documentation.conf:268 > # [doc] "Checksums of the license text in the recipe source code." > # :append /workspace/layers/meta-arm/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a.inc:57 > # "${@bb.utils.contains('TFA_MBEDTLS', '1', ' ${LIC_FILES_CHKSUM_MBEDTLS}', '', d)}" > # append /workspace/layers/meta-geosurv-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a-leica_2.13.bb:41 > # "file://docs/license.rst;md5=83b7626b8c7a37263c6a58af8d19bee1" > # pre-expansion value: > # " file://docs/license.rst;md5=83b7626b8c7a37263c6a58af8d19bee1${@bb.utils.contains('TFA_MBEDTLS', '1', ' ${LIC_FILES_CHKSUM_MBEDTLS}', '', d)}" > LIC_FILES_CHKSUM=" file://docs/license.rst;md5=83b7626b8c7a37263c6a58af8d19bee1" > > Note the missing space in the pre-expansion value. The space is not missing, it is embedded in the ' ${LIC_FILES_CHKSUM_MBEDTLS}' You should be able to check it by setting TFA_MBEDTLS=1 and running bitbake -e > But the oe-core/meta/classes-global/license.bbclass check would miss. > > This went unnoticed for a long time and over many clean-builds, as > it would only very rarily raise the QA error. > > Sidenote: > I've looked over the meta-layer, but didn't spot any similar problems. > > --- > .../recipes-bsp/trusted-firmware-a/trusted-firmware-a.inc | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a.inc b/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a.inc > index 6a2c0da9..987b7a66 100644 > --- a/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a.inc > +++ b/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a.inc > @@ -49,10 +49,10 @@ SRC_URI_MBEDTLS ??= "" > # This should be set to MBEDTLS LIC FILES checksum > LIC_FILES_CHKSUM_MBEDTLS ??= "" > # add MBEDTLS to our sources if activated > -SRC_URI:append = " ${@bb.utils.contains('TFA_MBEDTLS', '1', '${SRC_URI_MBEDTLS}', '', d)}" Here the space is always appended, as it's outside of the inline code section. > +SRC_URI += "${@bb.utils.contains('TFA_MBEDTLS', '1', '${SRC_URI_MBEDTLS}', '', d)}" > # Update license variables > LICENSE:append = "${@bb.utils.contains('TFA_MBEDTLS', '1', ' & Apache-2.0', '', d)}" > -LIC_FILES_CHKSUM:append = "${@bb.utils.contains('TFA_MBEDTLS', '1', ' ${LIC_FILES_CHKSUM_MBEDTLS}', '', d)}" And here the space only gets appended, if the inline code returns true ^^^ > +LIC_FILES_CHKSUM += "${@bb.utils.contains('TFA_MBEDTLS', '1', '${LIC_FILES_CHKSUM_MBEDTLS}', '', d)}" > # add mbed TLS to version > SRCREV_FORMAT:append = "${@bb.utils.contains('TFA_MBEDTLS', '1', '_mbedtls', '', d)}" > > > base-commit: be599f9523c5784904274cec12596ae31e20121f > -- > 2.43.0
Hoi Denys, > > > On Sat, Feb 07, 2026 at 12:41:09AM +0000, Johannes Schneider via lists.yoctoproject.org wrote: > > The placing of ' ' in combination with inline python variable > > expansion can lead to missing/skipping the license file checksum > > verification. > > This technique is relied upon in so many places, the issue would have been > noticed long ago, if it was the case. > True, but as i've learned now: do_populate_lic is not always executed. What actually masked the issue with a wrong LIC_FILES_CHKSUM in the tfa recipe was that it was pulled in indirectly into the bootloader build - but not the rootfs build where the licenses get collected. Only when bitbake-building the tfa explicitly does bitbake also run the do_populate_lic task - and throw an error. > > > Fix this by using '+=' (which itself adds a space) instead of :append > > (which concatenates strings without inserting a space) > > > > Fixes: 8dfdacd75c6c ("meta-arm: Convert to new override syntax") > > Signed-off-by: Johannes Schneider <johannes.schneider@leica-geosystems.com> > > > > --- > > > > By chance we had an incorrect checksum set as > > meta-geosurv-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a-leica_2.13.bb > > LIC_FILES_CHKSUM += "file://docs/license.rst;md5=83b7626b8c7a37263c6a58af8d19bee1" > > > > Which 'bitbake -e' would resolve correctly: > > > > # $LIC_FILES_CHKSUM [3 operations] > > # set /workspace/layers/openembedded-core/meta/conf/documentation.conf:268 > > # [doc] "Checksums of the license text in the recipe source code." > > # :append /workspace/layers/meta-arm/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a.inc:57 > > # "${@bb.utils.contains('TFA_MBEDTLS', '1', ' ${LIC_FILES_CHKSUM_MBEDTLS}', '', d)}" > > # append /workspace/layers/meta-geosurv-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a-leica_2.13.bb:41 > > # "file://docs/license.rst;md5=83b7626b8c7a37263c6a58af8d19bee1" > > # pre-expansion value: > > # " file://docs/license.rst;md5=83b7626b8c7a37263c6a58af8d19bee1${@bb.utils.contains('TFA_MBEDTLS', '1', ' ${LIC_FILES_CHKSUM_MBEDTLS}', '', d)}" > > LIC_FILES_CHKSUM=" file://docs/license.rst;md5=83b7626b8c7a37263c6a58af8d19bee1" > > > > Note the missing space in the pre-expansion value. > > The space is not missing, it is embedded in the ' ${LIC_FILES_CHKSUM_MBEDTLS}' > You should be able to check it by setting TFA_MBEDTLS=1 and running bitbake -e > > > > But the oe-core/meta/classes-global/license.bbclass check would miss. > > > > This went unnoticed for a long time and over many clean-builds, as > > it would only very rarily raise the QA error. > > > > Sidenote: > > I've looked over the meta-layer, but didn't spot any similar problems. > > > > --- > > .../recipes-bsp/trusted-firmware-a/trusted-firmware-a.inc | 4 ++-- > > 1 file changed, 2 insertions(+), 2 deletions(-) > > > > diff --git a/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a.inc b/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a.inc > > index 6a2c0da9..987b7a66 100644 > > --- a/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a.inc > > +++ b/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a.inc > > @@ -49,10 +49,10 @@ SRC_URI_MBEDTLS ??= "" > > # This should be set to MBEDTLS LIC FILES checksum > > LIC_FILES_CHKSUM_MBEDTLS ??= "" > > # add MBEDTLS to our sources if activated > > -SRC_URI:append = " ${@bb.utils.contains('TFA_MBEDTLS', '1', '${SRC_URI_MBEDTLS}', '', d)}" > > Here the space is always appended, as it's outside of the inline code section. > > > > +SRC_URI += "${@bb.utils.contains('TFA_MBEDTLS', '1', '${SRC_URI_MBEDTLS}', '', d)}" > > # Update license variables > > LICENSE:append = "${@bb.utils.contains('TFA_MBEDTLS', '1', ' & Apache-2.0', '', d)}" > > -LIC_FILES_CHKSUM:append = "${@bb.utils.contains('TFA_MBEDTLS', '1', ' ${LIC_FILES_CHKSUM_MBEDTLS}', '', d)}" > > And here the space only gets appended, if the inline code returns true ^^^ > I see - thnx for the rundown :-) What tripped me up was that in that trusted-firmware-a.inc file the variable assignments above/below do it differently - e.g. use '+=' instead of append. IMHO we could align all of them, to avoid someone else stumbling over that too (-: shall i send another patch that does this? (or a v2 of this one, dropping the wrong assumption in the commit message) Bottom line: i'm wrong / am barking up the wrong tree: the issue was hidden in our CI setup, not the recipe -> sorry for the noise :-S Gruß Johannes > > > +LIC_FILES_CHKSUM += "${@bb.utils.contains('TFA_MBEDTLS', '1', '${LIC_FILES_CHKSUM_MBEDTLS}', '', d)}" > > # add mbed TLS to version > > SRCREV_FORMAT:append = "${@bb.utils.contains('TFA_MBEDTLS', '1', '_mbedtls', '', d)}" > > > > > > base-commit: be599f9523c5784904274cec12596ae31e20121f > > -- > > 2.43.0 >
diff --git a/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a.inc b/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a.inc index 6a2c0da9..987b7a66 100644 --- a/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a.inc +++ b/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a.inc @@ -49,10 +49,10 @@ SRC_URI_MBEDTLS ??= "" # This should be set to MBEDTLS LIC FILES checksum LIC_FILES_CHKSUM_MBEDTLS ??= "" # add MBEDTLS to our sources if activated -SRC_URI:append = " ${@bb.utils.contains('TFA_MBEDTLS', '1', '${SRC_URI_MBEDTLS}', '', d)}" +SRC_URI += "${@bb.utils.contains('TFA_MBEDTLS', '1', '${SRC_URI_MBEDTLS}', '', d)}" # Update license variables LICENSE:append = "${@bb.utils.contains('TFA_MBEDTLS', '1', ' & Apache-2.0', '', d)}" -LIC_FILES_CHKSUM:append = "${@bb.utils.contains('TFA_MBEDTLS', '1', ' ${LIC_FILES_CHKSUM_MBEDTLS}', '', d)}" +LIC_FILES_CHKSUM += "${@bb.utils.contains('TFA_MBEDTLS', '1', '${LIC_FILES_CHKSUM_MBEDTLS}', '', d)}" # add mbed TLS to version SRCREV_FORMAT:append = "${@bb.utils.contains('TFA_MBEDTLS', '1', '_mbedtls', '', d)}"
The placing of ' ' in combination with inline python variable expansion can lead to missing/skipping the license file checksum verification. Fix this by using '+=' (which itself adds a space) instead of :append (which concatenates strings without inserting a space) Fixes: 8dfdacd75c6c ("meta-arm: Convert to new override syntax") Signed-off-by: Johannes Schneider <johannes.schneider@leica-geosystems.com> --- By chance we had an incorrect checksum set as meta-geosurv-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a-leica_2.13.bb LIC_FILES_CHKSUM += "file://docs/license.rst;md5=83b7626b8c7a37263c6a58af8d19bee1" Which 'bitbake -e' would resolve correctly: # $LIC_FILES_CHKSUM [3 operations] # set /workspace/layers/openembedded-core/meta/conf/documentation.conf:268 # [doc] "Checksums of the license text in the recipe source code." # :append /workspace/layers/meta-arm/meta-arm/recipes-bsp/trusted-firmware-a/trusted-firmware-a.inc:57 # "${@bb.utils.contains('TFA_MBEDTLS', '1', ' ${LIC_FILES_CHKSUM_MBEDTLS}', '', d)}" # append /workspace/layers/meta-geosurv-bsp/recipes-bsp/trusted-firmware-a/trusted-firmware-a-leica_2.13.bb:41 # "file://docs/license.rst;md5=83b7626b8c7a37263c6a58af8d19bee1" # pre-expansion value: # " file://docs/license.rst;md5=83b7626b8c7a37263c6a58af8d19bee1${@bb.utils.contains('TFA_MBEDTLS', '1', ' ${LIC_FILES_CHKSUM_MBEDTLS}', '', d)}" LIC_FILES_CHKSUM=" file://docs/license.rst;md5=83b7626b8c7a37263c6a58af8d19bee1" Note the missing space in the pre-expansion value. But the oe-core/meta/classes-global/license.bbclass check would miss. This went unnoticed for a long time and over many clean-builds, as it would only very rarily raise the QA error. Sidenote: I've looked over the meta-layer, but didn't spot any similar problems. --- .../recipes-bsp/trusted-firmware-a/trusted-firmware-a.inc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) base-commit: be599f9523c5784904274cec12596ae31e20121f