| Message ID | 20260420-cve-product-v1-1-812a75eba43b@bootlin.com |
|---|---|
| State | Superseded |
| Headers | show |
| Series | variables: add precision about special characters in CVE_PRODUCT | expand |
Hi Benjamin, On 4/20/26 10:18 AM, Benjamin Robin via lists.yoctoproject.org wrote: > [You don't often get email from benjamin.robin=bootlin.com@lists.yoctoproject.org. Learn why this is important at https://aka.ms/LearnAboutSenderIdentification ] > > Indicate that special characters must not be escaped in CVE_PRODUCT > starting from Wrynose. > This probably should be part of the migration manual as well then so it isn't missed when users upgrade. It'd be extra nice if we had a commit hash in bitbake/oe-core related to this change > Signed-off-by: Benjamin Robin <benjamin.robin@bootlin.com> > --- > documentation/ref-manual/variables.rst | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/documentation/ref-manual/variables.rst b/documentation/ref-manual/variables.rst > index 317b75913396..edacb6be648d 100644 > --- a/documentation/ref-manual/variables.rst > +++ b/documentation/ref-manual/variables.rst > @@ -2056,6 +2056,9 @@ system and gives an overview of their function and contents. > > CVE_PRODUCT = "vendor:package" > > + Since Wrynose, special characters must not be escaped. For example, Maybe specify the version number for the release, not everybody is necessarily aware of the release names. In documentation/ref-manual/release-process.rst we word it like "Version X.Y ("Release name")", in some other places we have "release name (X.Y)". > + ``webkitgtk+`` no longer needs to be written as ``webkitgtk\+``. > + "needs" is probably the wrong choice here, it indicates we could still be writing it in the latter form. Maybe something along the lines of: For example, the :term:`CVE_PRODUCT` variable for the ``webkitgtk+`` recipe must no longer be written as ``webkitgtk\+`` but rather ``webkitgtk+``. would better fit the new behavior. What do you think? Cheers, Quentin
On Monday, April 20, 2026 at 10:35 AM, Quentin Schulz wrote: > Hi Benjamin, > > On 4/20/26 10:18 AM, Benjamin Robin via lists.yoctoproject.org wrote: > > Indicate that special characters must not be escaped in CVE_PRODUCT > > starting from Wrynose. > > > > This probably should be part of the migration manual as well then so it > isn't missed when users upgrade. Sadly, I will not have time to do that, but I can provide all the information needed for any one who want to write that part. > It'd be extra nice if we had a commit hash in bitbake/oe-core related to > this change The first commit that change this behavior is: 9dd9c0038907340ba08ff4c8ee06a8748c1ac00a A second commit was added to improve it: 3c73dafd03b1ec1f2725981664db9541fba0142b And a third commit was added to temporarily keep the compatibility: b86c5ecdc0699cf6ab50e2a24e2b32e42ee7ed54 But the plan is to drop (revert) this commit after a few months... > > Signed-off-by: Benjamin Robin <benjamin.robin@bootlin.com> > > --- > > documentation/ref-manual/variables.rst | 3 +++ > > 1 file changed, 3 insertions(+) > > > > diff --git a/documentation/ref-manual/variables.rst b/documentation/ref-manual/variables.rst > > index 317b75913396..edacb6be648d 100644 > > --- a/documentation/ref-manual/variables.rst > > +++ b/documentation/ref-manual/variables.rst > > @@ -2056,6 +2056,9 @@ system and gives an overview of their function and contents. > > > > CVE_PRODUCT = "vendor:package" > > > > + Since Wrynose, special characters must not be escaped. For example, > > Maybe specify the version number for the release, not everybody is > necessarily aware of the release names. In > documentation/ref-manual/release-process.rst we word it like "Version > X.Y ("Release name")", in some other places we have "release name (X.Y)". I could replace it by: "Since Wrynose (6.0)," > > + ``webkitgtk+`` no longer needs to be written as ``webkitgtk\+``. > > + > > "needs" is probably the wrong choice here, it indicates we could still > be writing it in the latter form. Maybe something along the lines of: > > For example, the :term:`CVE_PRODUCT` variable for the ``webkitgtk+`` > recipe must no longer be written as ``webkitgtk\+`` but rather > ``webkitgtk+``. > > would better fit the new behavior. What do you think? I think this is indeed way better. > > Cheers, > Quentin >
diff --git a/documentation/ref-manual/variables.rst b/documentation/ref-manual/variables.rst index 317b75913396..edacb6be648d 100644 --- a/documentation/ref-manual/variables.rst +++ b/documentation/ref-manual/variables.rst @@ -2056,6 +2056,9 @@ system and gives an overview of their function and contents. CVE_PRODUCT = "vendor:package" + Since Wrynose, special characters must not be escaped. For example, + ``webkitgtk+`` no longer needs to be written as ``webkitgtk\+``. + :term:`CVE_STATUS` The CVE ID which is patched or should be ignored. Here is an example from the :oe_layerindex:`Python3 recipe</layerindex/recipe/23823>`::
Indicate that special characters must not be escaped in CVE_PRODUCT starting from Wrynose. Signed-off-by: Benjamin Robin <benjamin.robin@bootlin.com> --- documentation/ref-manual/variables.rst | 3 +++ 1 file changed, 3 insertions(+) --- base-commit: 2c12ec7bf29aedeacf82970a9d2eb262fde4670e change-id: 20260420-cve-product-61f82ce503eb Best regards, -- Benjamin Robin <benjamin.robin@bootlin.com>