| Message ID | 20260122080922.1695912-1-richard.purdie@linuxfoundation.org |
|---|---|
| State | New |
| Headers | show |
| Series | [v3] fetch2/npm/npmsw: Disable npm and npmsw fetchers due to security concerns | expand |
On Thu, Jan 22, 2026 at 9:09 AM Richard Purdie via lists.openembedded.org <richard.purdie=linuxfoundation.org@lists.openembedded.org> wrote: > We've been made aware that are security issues within the npm/npmsw > fetchers. > The issue is that the code accepts data like checksums from the upstream > servers, rather than verifying it against local data from the recipes. This > means the upstream servers could feed aritrary data into the build. > > There have been maintainance issues on these fetchers for a while and > despite > asking in multiple forums, we've been unable to find anyone to help fix the > issues. Until that issue is resolved and we can be convinced the fetcher is > secure and modelling best practices for reproduciblity (inc. mirroring), > this > patch disables the fetchers. This has been discussed and agreed by the OE > TSC. > > Parsing will not show errors but the recipes using these fetchers will not > be > available. Recipes will be skipped at parsing and will show an error if a > user > tries to build a recipe using them. > > The import is local to the function to avoid circular dependencies within > the hashserv selftests. > > [YOCTO #16105] > > Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> > --- > lib/bb/fetch2/npm.py | 6 +++++- > lib/bb/fetch2/npmsw.py | 4 ++++ > 2 files changed, 9 insertions(+), 1 deletion(-) > > diff --git a/lib/bb/fetch2/npm.py b/lib/bb/fetch2/npm.py > index e469d667687..72a24c8c35f 100644 > --- a/lib/bb/fetch2/npm.py > +++ b/lib/bb/fetch2/npm.py > @@ -150,7 +150,11 @@ class Npm(FetchMethod): > > def supports(self, ud, d): > """Check if a given url can be fetched with npm""" > - return ud.type in ["npm"] > + #return ud.type in ["npm"] > + if ud.type in ["npm"]: > + from bb.parse import SkipRecipe > + raise SkipRecipe("The npm fetcher has been disabled due to > security issues and there is maintainer to address them") > + return False > > def urldata_init(self, ud, d): > """Init npm specific variables within url data""" > diff --git a/lib/bb/fetch2/npmsw.py b/lib/bb/fetch2/npmsw.py > index 2f9599ee9e2..322c7b331e5 100644 > --- a/lib/bb/fetch2/npmsw.py > +++ b/lib/bb/fetch2/npmsw.py > @@ -64,6 +64,10 @@ class NpmShrinkWrap(FetchMethod): > def supports(self, ud, d): > """Check if a given url can be fetched with npmsw""" > return ud.type in ["npmsw"] > + if ud.type in ["npmsw"]: > + from bb.parse import SkipRecipe > + raise SkipRecipe("The npmsw fetcher has been disabled due to > security issues and there is maintainer to address them") > + return False > > def urldata_init(self, ud, d): > """Init npmsw specific variables within url data""" > > Hello Richard, I think there's still a missing word in the error message: "and there is" -> "and until there is". Cheers, Marta
On Thu, 2026-01-22 at 14:01 +0100, Marta Rybczynska wrote: > On Thu, Jan 22, 2026 at 9:09 AM Richard Purdie via lists.openembedded.org <richard.purdie=linuxfoundation.org@lists.openembedded.org> wrote: > > > > index 2f9599ee9e2..322c7b331e5 100644 > > --- a/lib/bb/fetch2/npmsw.py > > +++ b/lib/bb/fetch2/npmsw.py > > @@ -64,6 +64,10 @@ class NpmShrinkWrap(FetchMethod): > > def supports(self, ud, d): > > """Check if a given url can be fetched with npmsw""" > > return ud.type in ["npmsw"] > > + if ud.type in ["npmsw"]: > > + from bb.parse import SkipRecipe > > + raise SkipRecipe("The npmsw fetcher has been disabled due to security issues and there is maintainer to address them") > > + return False > > > > def urldata_init(self, ud, d): > > """Init npmsw specific variables within url data""" > > > > > > > I think there's still a missing word in the error message: "and there is" -> "and until there is". Well spotted, I lost one of the tweaks to the patch when I updated it to fix the import issue. I've added it "no" back so it reads: raise SkipRecipe("The npmsw fetcher has been disabled due to security issues and there is no maintainer to address them") Cheers, Richard
Hi Richard, Am 22.01.2026 um 14:01 schrieb Marta Rybczynska via lists.openembedded.org: > > > On Thu, Jan 22, 2026 at 9:09 AM Richard Purdie via > lists.openembedded.org <http://lists.openembedded.org> > <richard.purdie=linuxfoundation.org@lists.openembedded.org> wrote: > > We've been made aware that are security issues within the > npm/npmsw fetchers. > The issue is that the code accepts data like checksums from the > upstream > servers, rather than verifying it against local data from the > recipes. This > means the upstream servers could feed aritrary data into the build. > > There have been maintainance issues on these fetchers for a while > and despite > asking in multiple forums, we've been unable to find anyone to > help fix the > issues. Until that issue is resolved and we can be convinced the > fetcher is > secure and modelling best practices for reproduciblity (inc. > mirroring), this > patch disables the fetchers. This has been discussed and agreed by > the OE TSC. > > Parsing will not show errors but the recipes using these fetchers > will not be > available. Recipes will be skipped at parsing and will show an > error if a user > tries to build a recipe using them. > > The import is local to the function to avoid circular dependencies > within > the hashserv selftests. > > [YOCTO #16105] > > Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> > --- > lib/bb/fetch2/npm.py | 6 +++++- > lib/bb/fetch2/npmsw.py | 4 ++++ > 2 files changed, 9 insertions(+), 1 deletion(-) > > diff --git a/lib/bb/fetch2/npm.py b/lib/bb/fetch2/npm.py > index e469d667687..72a24c8c35f 100644 > --- a/lib/bb/fetch2/npm.py > +++ b/lib/bb/fetch2/npm.py > @@ -150,7 +150,11 @@ class Npm(FetchMethod): > > def supports(self, ud, d): > """Check if a given url can be fetched with npm""" > - return ud.type in ["npm"] > + #return ud.type in ["npm"] > + if ud.type in ["npm"]: > + from bb.parse import SkipRecipe > + raise SkipRecipe("The npm fetcher has been disabled > due to security issues and there is maintainer to address them") > + return False > > def urldata_init(self, ud, d): > """Init npm specific variables within url data""" > diff --git a/lib/bb/fetch2/npmsw.py b/lib/bb/fetch2/npmsw.py > index 2f9599ee9e2..322c7b331e5 100644 > --- a/lib/bb/fetch2/npmsw.py > +++ b/lib/bb/fetch2/npmsw.py > @@ -64,6 +64,10 @@ class NpmShrinkWrap(FetchMethod): > def supports(self, ud, d): > """Check if a given url can be fetched with npmsw""" > return ud.type in ["npmsw"] > You forgot to remove or comment out this line. > + if ud.type in ["npmsw"]: > + from bb.parse import SkipRecipe > + raise SkipRecipe("The npmsw fetcher has been disabled > due to security issues and there is maintainer to address them") > + return False > > def urldata_init(self, ud, d): > """Init npmsw specific variables within url data""" > > Regard, Stefan
On Thu, 2026-01-22 at 15:53 +0100, Stefan Herbrechtsmeier wrote: > > Am 22.01.2026 um 14:01 schrieb Marta Rybczynska via > lists.openembedded.org: > > On Thu, Jan 22, 2026 at 9:09 AM Richard Purdie via > > lists.openembedded.org > > <richard.purdie=linuxfoundation.org@lists.openembedded.org> wrote: > > > > > diff --git a/lib/bb/fetch2/npmsw.py b/lib/bb/fetch2/npmsw.py > > > index 2f9599ee9e2..322c7b331e5 100644 > > > --- a/lib/bb/fetch2/npmsw.py > > > +++ b/lib/bb/fetch2/npmsw.py > > > @@ -64,6 +64,10 @@ class NpmShrinkWrap(FetchMethod): > > > def supports(self, ud, d): > > > """Check if a given url can be fetched with npmsw""" > > > return ud.type in ["npmsw"] > > > > > > > > > > > You forgot to remove or comment out this line. Thanks, I will send a new version and retest. Cheers, Richard
diff --git a/lib/bb/fetch2/npm.py b/lib/bb/fetch2/npm.py index e469d667687..72a24c8c35f 100644 --- a/lib/bb/fetch2/npm.py +++ b/lib/bb/fetch2/npm.py @@ -150,7 +150,11 @@ class Npm(FetchMethod): def supports(self, ud, d): """Check if a given url can be fetched with npm""" - return ud.type in ["npm"] + #return ud.type in ["npm"] + if ud.type in ["npm"]: + from bb.parse import SkipRecipe + raise SkipRecipe("The npm fetcher has been disabled due to security issues and there is maintainer to address them") + return False def urldata_init(self, ud, d): """Init npm specific variables within url data""" diff --git a/lib/bb/fetch2/npmsw.py b/lib/bb/fetch2/npmsw.py index 2f9599ee9e2..322c7b331e5 100644 --- a/lib/bb/fetch2/npmsw.py +++ b/lib/bb/fetch2/npmsw.py @@ -64,6 +64,10 @@ class NpmShrinkWrap(FetchMethod): def supports(self, ud, d): """Check if a given url can be fetched with npmsw""" return ud.type in ["npmsw"] + if ud.type in ["npmsw"]: + from bb.parse import SkipRecipe + raise SkipRecipe("The npmsw fetcher has been disabled due to security issues and there is maintainer to address them") + return False def urldata_init(self, ud, d): """Init npmsw specific variables within url data"""
We've been made aware that are security issues within the npm/npmsw fetchers. The issue is that the code accepts data like checksums from the upstream servers, rather than verifying it against local data from the recipes. This means the upstream servers could feed aritrary data into the build. There have been maintainance issues on these fetchers for a while and despite asking in multiple forums, we've been unable to find anyone to help fix the issues. Until that issue is resolved and we can be convinced the fetcher is secure and modelling best practices for reproduciblity (inc. mirroring), this patch disables the fetchers. This has been discussed and agreed by the OE TSC. Parsing will not show errors but the recipes using these fetchers will not be available. Recipes will be skipped at parsing and will show an error if a user tries to build a recipe using them. The import is local to the function to avoid circular dependencies within the hashserv selftests. [YOCTO #16105] Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> --- lib/bb/fetch2/npm.py | 6 +++++- lib/bb/fetch2/npmsw.py | 4 ++++ 2 files changed, 9 insertions(+), 1 deletion(-)