From patchwork Wed Apr 22 14:22:34 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Antonin Godard X-Patchwork-Id: 86647 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id E2C75F9EDE4 for ; Wed, 22 Apr 2026 14:22:59 +0000 (UTC) Received: from smtpout-04.galae.net (smtpout-04.galae.net [185.171.202.116]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.83810.1776867775834202294 for ; Wed, 22 Apr 2026 07:22:56 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@bootlin.com header.s=dkim header.b=wZOMfesG; spf=pass (domain: bootlin.com, ip: 185.171.202.116, mailfrom: antonin.godard@bootlin.com) Received: from smtpout-01.galae.net (smtpout-01.galae.net [212.83.139.233]) by smtpout-04.galae.net (Postfix) with ESMTPS id 0BE94C5C3CC for ; Wed, 22 Apr 2026 14:23:34 +0000 (UTC) Received: from mail.galae.net (mail.galae.net [212.83.136.155]) by smtpout-01.galae.net (Postfix) with ESMTPS id 37D845FA8F for ; Wed, 22 Apr 2026 14:22:53 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) by localhost (Mailerdaemon) with ESMTPSA id 8C097104609C6; Wed, 22 Apr 2026 16:22:52 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bootlin.com; s=dkim; t=1776867772; h=from:subject:date:message-id:to:cc:mime-version:content-type: content-transfer-encoding:in-reply-to:references; bh=O6ckvffa+LCbUaKIro7kuie7nMxCl4TgbFc1hGESM9Y=; b=wZOMfesGN17tS/XnDj0/WGFVO6BbpEBhZPNc/WiPeyc0I5ZAM/D83X+0dYkV3dq0XEHzJN lRYGMFie9OZeZgAUYtLxDVy7vDh47eAgb/2l40evqhuSs+F7MiWlf+8LJGZjyaabIKbErC 3KCBwIrxqgeGF0LuxiwMcVHo6ISWrvqUFjSGgTOLAivLX3+9RHw7pp3X7S+ZcCE+mcpY+K Zc2Oc/jxYE6dABO2QFNfMLrUOouLTNs2TQskZTiHMlwbG19rPhF2F8TmrKWSeRO8znzjuu szhhxysPa0H81sXOB7iXjiztVpIBwLEL3Xs3me77LaLJLPHFS9JGHJRSY9VndQ== From: Antonin Godard Date: Wed, 22 Apr 2026 16:22:34 +0200 Subject: [PATCH 01/16] conf.py: add a :yocto_bug: role MIME-Version: 1.0 Message-Id: <20260422-third-release-notes-6-0-v1-1-06635e8648d1@bootlin.com> References: <20260422-third-release-notes-6-0-v1-0-06635e8648d1@bootlin.com> In-Reply-To: <20260422-third-release-notes-6-0-v1-0-06635e8648d1@bootlin.com> To: docs@lists.yoctoproject.org Cc: Thomas Petazzoni , Antonin Godard X-Mailer: b4 0.16-dev X-Developer-Signature: v=1; a=openpgp-sha256; l=1376; i=antonin.godard@bootlin.com; h=from:subject:message-id; bh=LxribSozarWQvOeJGL5XUBnkbKKqypE6riNsa6hLax0=; b=owEBbQKS/ZANAwAKAdGAQUApo6g2AcsmYgBp6Nm34BunwrER4BpHMfJyeB3DKkLucY96jTnpg Ky83ngg5iyJAjMEAAEKAB0WIQSGSHJRiN1AG7mg0//RgEFAKaOoNgUCaejZtwAKCRDRgEFAKaOo Nl17EACP1ChcWPHfnTLL48GrV8eEvt7U/XBkONiKPa4P3gSTnou4zn7N1h7gPqcoZKRJZpd6uyi U0rYKgUCSoSbVEzW1SOIDwADIMtrXxUonU89284OQ+YFvFWJOdRm2OnkBwtdMy/oI5OL6nP93OZ TtT0xXcHVrzZ0RKUvJmQfDw6emJv0sbHagF45eqY+Sgc44JoAr7nCS2w2Vu4s2/oB4t8LI7igT0 Mu9DHF12rC2jg34o8bJzwZgqWHLvp8tDCuetmLmbZB4Ff4jW3Dg/5fJ1iuKMOo6lwbZzq9YyJUW 8y30H5TEbliryOIWY8ayfUCrwG/t8pBQcE/4UavioC6ZCzYKIzzIDo1z5ErnCphyI0LMspXWIXP uWYNkSQtb4Xv/DYS2qrzmqYLaCxljEv3PVCkHqdq7GA7nUGjtmGc3Qa5lyfpQ4pwJUbRO5/7uLB HYRfbXICoQl6AwaEniibddCsW/76xeNImVLvpi+C8l4G5jOKd6NTlR16HAq58V8Wh75rTcFP254 2x/5tdlx9AG3AGwOZMJWt63J6MWNWdaK6Xz5TMH/Xc+8IkAYujGztZKXKVkefXfl1yyaXd8mdst FdOsXD/YLMT0MkoFATqxuy+X8b7wlna0TL19G//EXcL4AGG6zrob2egz2FERrEi/99TBPtj/wxN COWGPg+gfT7ZJZQ== X-Developer-Key: i=antonin.godard@bootlin.com; a=openpgp; fpr=8648725188DD401BB9A0D3FFD180414029A3A836 X-Last-TLS-Session-Version: TLSv1.3 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 22 Apr 2026 14:22:59 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/docs/message/9311 Similar to :yocto_bugs: but directly create a hyperlink to the bug displayed with its identifier. Use as :yocto_bug:`12345`. Signed-off-by: Antonin Godard --- documentation/conf.py | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/documentation/conf.py b/documentation/conf.py index 58c6406f1..7b201ebd6 100644 --- a/documentation/conf.py +++ b/documentation/conf.py @@ -97,6 +97,7 @@ oecore_git = f"{oe_git_server}/openembedded-core" bitbake_git = f"{oe_git_server}/bitbake" yocto_git_server = "https://git.yoctoproject.org" meta_yocto_git = f"{yocto_git_server}/meta-yocto" +bugzilla_server = "https://bugzilla.yoctoproject.org" # external links and substitutions extlinks = { @@ -109,7 +110,8 @@ extlinks = { 'yocto_wiki': ('https://wiki.yoctoproject.org/wiki%s', None), 'yocto_dl': ('https://downloads.yoctoproject.org%s', None), 'yocto_lists': ('https://lists.yoctoproject.org%s', None), - 'yocto_bugs': ('https://bugzilla.yoctoproject.org%s', None), + 'yocto_bugs': (f'{bugzilla_server}%s', None), + 'yocto_bug': (f'{bugzilla_server}/show_bug.cgi?id=%s', '%s'), 'yocto_ab': ('https://autobuilder.yoctoproject.org%s', None), 'yocto_docs': ('https://docs.yoctoproject.org%s', None), 'yocto_git': (f'{yocto_git_server}%s', None), From patchwork Wed Apr 22 14:22:35 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Antonin Godard X-Patchwork-Id: 86646 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id BF7AFF9EDE0 for ; Wed, 22 Apr 2026 14:22:59 +0000 (UTC) Received: from smtpout-04.galae.net (smtpout-04.galae.net [185.171.202.116]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.83812.1776867776001104413 for ; Wed, 22 Apr 2026 07:22:56 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@bootlin.com header.s=dkim header.b=ANJ0bSxv; spf=pass (domain: bootlin.com, ip: 185.171.202.116, mailfrom: antonin.godard@bootlin.com) Received: from smtpout-01.galae.net (smtpout-01.galae.net [212.83.139.233]) by smtpout-04.galae.net (Postfix) with ESMTPS id 9A2F9C5C3CD for ; Wed, 22 Apr 2026 14:23:34 +0000 (UTC) Received: from mail.galae.net (mail.galae.net [212.83.136.155]) by smtpout-01.galae.net (Postfix) with ESMTPS id C68B75FA8F for ; Wed, 22 Apr 2026 14:22:53 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) by localhost (Mailerdaemon) with ESMTPSA id 1C4E210460ABF; Wed, 22 Apr 2026 16:22:53 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bootlin.com; s=dkim; t=1776867773; h=from:subject:date:message-id:to:cc:mime-version:content-type: content-transfer-encoding:in-reply-to:references; bh=kvnDyrIrXzYTdsaJgy0EhORq6GAR2bWx6yG5g617lMc=; b=ANJ0bSxvjrDBwd/MR92y59U/NI9rzhCxMrnHnpLI55frolBsgQiX4EH0f6EaX2ybd/nbTx 3csEjGXPSAhix+ovxFBIWTpVuYDKvyySYewfZ/lU3epGPqDxaRLX5svryZYPl1a2o6pMGO CjYqv0+HmfrsGyE5OYrBy4jNwdOt1Jn3jSaf/PEplF+G9JTazb6xZwfCFvOhjUEX8DFQee lMZPXz6kXqRMYBWcpY+ZWwgkMS81/5Uc56j3WhdynbHk2mBdQXOkK+BFvisM9vrQz/yM2m KmedOoIIxMHiuxeCX/pmT6deBRdpUrLumyRpNE97lU/nO/2CD5jQ/X/qgW4iDQ== From: Antonin Godard Date: Wed, 22 Apr 2026 16:22:35 +0200 Subject: [PATCH 02/16] migration-guides/release-notes-6.0.rst: add known KVM issue MIME-Version: 1.0 Message-Id: <20260422-third-release-notes-6-0-v1-2-06635e8648d1@bootlin.com> References: <20260422-third-release-notes-6-0-v1-0-06635e8648d1@bootlin.com> In-Reply-To: <20260422-third-release-notes-6-0-v1-0-06635e8648d1@bootlin.com> To: docs@lists.yoctoproject.org Cc: Thomas Petazzoni , Antonin Godard X-Mailer: b4 0.16-dev X-Developer-Signature: v=1; a=openpgp-sha256; l=941; i=antonin.godard@bootlin.com; h=from:subject:message-id; bh=shYmkMqZYzh8kLKEJCRJxNFJODFY7BWNFo/XpDnqV+8=; b=owEBbQKS/ZANAwAKAdGAQUApo6g2AcsmYgBp6Nm3z3P04mt2yfM/rkQDzZQM6IDFUdhmJ8lTu h0M2t6GzkiJAjMEAAEKAB0WIQSGSHJRiN1AG7mg0//RgEFAKaOoNgUCaejZtwAKCRDRgEFAKaOo NgixD/99mf0qDZ0O1Bqn2wL+JMnGu5i8n0uYc1Ld61JiulUHQuYiITmvA1UsNC06Zr88bPs9rxO DoXmiMyrFuGBLoG9Q0LbCfXxpKlrxyIrSSa6idhT4Qi8TThrdmddtzZ3EBhvoYSj4gHAlplNJ44 T/2Q1qJKXET7o9WyA8iAxtfAc/+K7WrZiqBuJsH72LMo1Jv43W4mvuV2mskNoWoY/0AdlW5h+ja bEmnFwBQ6neMFiE8fczFg5vGnNYga4CQJcpGnpp1F0tHDJ2VyjyNo6611e2rf+fLXdOIl0ZbVO9 oprpLsLbcxaxvAYhdMKAjqcOcAx16Z9Zei5AnLS4zfVumxY4Wb8ihGF2Z7r0a4PtnprNEFa2itW f+bUrXxWSYnqAFvC9VRe6Qi8JE5+fY4kM+sdHhnNSRnDPH0qG7dae5H6jscO/CC6Vb5B0cFY3tm 0aOpS59Fg0eo7aA2fmhgoG/hQFJ4yfAJ4gPXGTooY2PCOteCFR/dKFOT0A5FD4PBJQgNx0anQ7r 6Ay14JvVzJ0zsceBNSnB7pNPZoGtIb+my/TjRCZEofbZ14TPcnpYC6jO37ymKvVRk6ED3ufYiXZ NyoZafijBY+AIWwpKp8oqlg2iAiQ91Ymd+rPpFgZNty68vwbjKePlySmbeR4F1BY4wJbNaEjWjP LKNz80ou27ef9ZA== X-Developer-Key: i=antonin.godard@bootlin.com; a=openpgp; fpr=8648725188DD401BB9A0D3FFD180414029A3A836 X-Last-TLS-Session-Version: TLSv1.3 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 22 Apr 2026 14:22:59 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/docs/message/9309 And link to the bug in question on Bugzilla. Signed-off-by: Antonin Godard --- documentation/migration-guides/release-notes-6.0.rst | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/documentation/migration-guides/release-notes-6.0.rst b/documentation/migration-guides/release-notes-6.0.rst index a4fd7a169..2ae182c8c 100644 --- a/documentation/migration-guides/release-notes-6.0.rst +++ b/documentation/migration-guides/release-notes-6.0.rst @@ -739,6 +739,10 @@ New Features / Enhancements in |yocto-ver| Known Issues in |yocto-ver| --------------------------- +- A known bug is affecting :term:`build hosts ` that have Intel + Ultra 7 CPUs and breaks :term:`OpenEmbedded-Core (OE-Core)` tests that + involve KVM. See bug :yocto_bug:`16074` for more information. + Recipe License changes in |yocto-ver| ------------------------------------- From patchwork Wed Apr 22 14:22:36 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Antonin Godard X-Patchwork-Id: 86648 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id D43B5F9EDE2 for ; Wed, 22 Apr 2026 14:22:59 +0000 (UTC) Received: from smtpout-04.galae.net (smtpout-04.galae.net [185.171.202.116]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.83813.1776867776289433175 for ; Wed, 22 Apr 2026 07:22:56 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@bootlin.com header.s=dkim header.b=L4nV2Nf6; spf=pass (domain: bootlin.com, ip: 185.171.202.116, mailfrom: antonin.godard@bootlin.com) Received: from smtpout-01.galae.net (smtpout-01.galae.net [212.83.139.233]) by smtpout-04.galae.net (Postfix) with ESMTPS id 31069C5C3CF for ; Wed, 22 Apr 2026 14:23:35 +0000 (UTC) Received: from mail.galae.net (mail.galae.net [212.83.136.155]) by smtpout-01.galae.net (Postfix) with ESMTPS id 5DFF15FA8F for ; Wed, 22 Apr 2026 14:22:54 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) by localhost (Mailerdaemon) with ESMTPSA id AFCE810460B10; Wed, 22 Apr 2026 16:22:53 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bootlin.com; s=dkim; t=1776867773; h=from:subject:date:message-id:to:cc:mime-version:content-type: content-transfer-encoding:in-reply-to:references; bh=XhJfDWpZ6947nuWyjb+2thjJ1FqUzyHDPGN6xMlOeAc=; b=L4nV2Nf6rw9KTQDElKTWCqkiKRm9cZG+K+ViAjKa21mbRf1PvtyqDNVrDI72M+pQD2rtni +YFYqQyb3epjLt1By4pdBcHLSeViqnt4CpzptqJ/y5LxHERCBvTHgvpsKPvkb0RI+Oxenm djSDO9KURIzfOp4eIaxoj4kAulhJnn7W93HbTHaXiGx3Rl2yjZJ6akSsJSGX7hRoePoBm8 FTtDTQxJ/73eb5ZY2J6JrWfxw0V/BXUNU2xcIsK2Qisp4FT605S2Yu5s1yefq4yBFebzQJ MB18GXbwP6M/G+p3K3yrqNLHbmcmGzitkIjg5c5NWeZA3aDEVjeJtcK5Hat+3Q== From: Antonin Godard Date: Wed, 22 Apr 2026 16:22:36 +0200 Subject: [PATCH 03/16] migration-guides/migration-6.0.rst: document the CVE_PRODUCT behavior change MIME-Version: 1.0 Message-Id: <20260422-third-release-notes-6-0-v1-3-06635e8648d1@bootlin.com> References: <20260422-third-release-notes-6-0-v1-0-06635e8648d1@bootlin.com> In-Reply-To: <20260422-third-release-notes-6-0-v1-0-06635e8648d1@bootlin.com> To: docs@lists.yoctoproject.org Cc: Thomas Petazzoni , Antonin Godard X-Mailer: b4 0.16-dev X-Developer-Signature: v=1; a=openpgp-sha256; l=1513; i=antonin.godard@bootlin.com; h=from:subject:message-id; bh=LUGei2d+AnU25l+rqMfzcK5ecQ42FSFgzlb+kI/qySc=; b=owEBbQKS/ZANAwAKAdGAQUApo6g2AcsmYgBp6Nm3OHieeFPWrRTlFN9OTMzanam+7PtGfMIni eoxtHtBXsCJAjMEAAEKAB0WIQSGSHJRiN1AG7mg0//RgEFAKaOoNgUCaejZtwAKCRDRgEFAKaOo NoYvD/9NoLW+1iBIvTvNnlsZlF7vbnJNZ4bumCq4ajVO0/OxUj5hG9+dWm3olLVT+YyFqaCIvqW BTYoBWP6B91nEooGmLbXN4Xg3juiNhetKR7LPwerOnodOFqzWFlyjTrKGAwPAlaXJCw+Sr+a8xd z8ljgz10EXITbteu89m2MC4Ni7OL4DHif0UOxwzv2q7KcEHusUvy4pO0JJ4IODBlllcGR1YOFms bi/Hs5tvupuIE1yKvpACpfFsySfjGTcXfuzmBXD3H4yAbkuSAOFd0yOWWVYqCZ2uDRuV7jx0f3g kuu7EcIzyFhClQ4QLwcGo6upip9Z8uTfF+NGv8GhFBLpQ5YkfmNWc2A2PpE7S6h6dhl5QN0n3do RCaT4E1aOflKXij07m4EjD/vQ7DRXDEc0ZOujEUofBS90D6z1oA5UUuy0bODXBGD/oRzUCf4kpC xDsmB4CZs5PDtyJWNMfPgUgPCxUFbqFWYtBnpn9dlPqVkz043QefZ2ZUM6xDJOXYJx2jQl4bzR9 FbttmG1tVb1xh3LOyYFpTItAQNYc57+pwm2sdPQ9tXmf3jcOmYEOvZVkGkcyVsbptlnsK9T4sw6 k0k8BsrcUM5GGO4w3Yj7yIuupAZsgGLauVV10KaymgVsstp5vQCa+ZVT8JdbfQxOVFG2WoElPhm n1ih9I3v8LiT8/A== X-Developer-Key: i=antonin.godard@bootlin.com; a=openpgp; fpr=8648725188DD401BB9A0D3FFD180414029A3A836 X-Last-TLS-Session-Version: TLSv1.3 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 22 Apr 2026 14:22:59 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/docs/message/9310 After 9dd9c0038907 ("cve_check: Escape special characters in CPE 2.3 strings") and 3c73dafd03b1 ("cve_check: Improve escaping of special characters in CPE 2.3") in OE-Core. Signed-off-by: Antonin Godard --- documentation/migration-guides/migration-6.0.rst | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/documentation/migration-guides/migration-6.0.rst b/documentation/migration-guides/migration-6.0.rst index 42c688a89..d763062da 100644 --- a/documentation/migration-guides/migration-6.0.rst +++ b/documentation/migration-guides/migration-6.0.rst @@ -291,6 +291,20 @@ information. Users are advised to transition to SDPX 3.0, which is provided by the :ref:`ref-classes-create-spdx` class. +:term:`CVE_PRODUCT` character escaping change +--------------------------------------------- + +The :term:`CVE_PRODUCT` variable, which specifies a name used to match the +recipe name against the name in the upstream `NIST CVE database +`__, used to require special characters to be escaped. + +This is no longer, the case. For example, the :term:`CVE_PRODUCT` variable for +the ``webkitgtk`` recipe must no longer be written as ``webkitgtk\+`` but +``webkitgtk+``. + +Users are advised to review their :term:`CVE_PRODUCT` assignments and remove any +special character escaping. + .. _ref-migration-6-0-wic-sector-size-change: :term:`WIC_SECTOR_SIZE` should be replaced by ``--sector-size`` From patchwork Wed Apr 22 14:22:37 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Antonin Godard X-Patchwork-Id: 86645 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id B0DDBF9EDDE for ; Wed, 22 Apr 2026 14:22:59 +0000 (UTC) Received: from smtpout-04.galae.net (smtpout-04.galae.net [185.171.202.116]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.83814.1776867776783609188 for ; Wed, 22 Apr 2026 07:22:57 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@bootlin.com header.s=dkim header.b=b2f138HR; spf=pass (domain: bootlin.com, ip: 185.171.202.116, mailfrom: antonin.godard@bootlin.com) Received: from smtpout-01.galae.net (smtpout-01.galae.net [212.83.139.233]) by smtpout-04.galae.net (Postfix) with ESMTPS id A0734C5C1A5 for ; Wed, 22 Apr 2026 14:23:35 +0000 (UTC) Received: from mail.galae.net (mail.galae.net [212.83.136.155]) by smtpout-01.galae.net (Postfix) with ESMTPS id CC48F5FA8F for ; Wed, 22 Apr 2026 14:22:54 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) by localhost (Mailerdaemon) with ESMTPSA id 465AE10460BA8; Wed, 22 Apr 2026 16:22:54 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bootlin.com; s=dkim; t=1776867774; h=from:subject:date:message-id:to:cc:mime-version:content-type: content-transfer-encoding:in-reply-to:references; bh=GrFnkmPiMXKT5Iqq6Sj7WlyM6GjVgub/R3zTTRUR6XY=; b=b2f138HR3NNl6p6YCHjL5vsmU14TSoS5BpOFIxf5HJCe3qjMq8y9J5HNTvPgR7EDnV0jKu THaTKRWGeuaxfxXo8JVbV6fUzGY/6CjMWMDSyreBCgSWAscFhwQXAT6+RvHFDTQxoe3F7O XyPGVroRsip/rCj1zCgfVQf0dkC9uSgNUBKiuYKlRuCfLDbPRRmRHc2r1Mo66aK6hBlerx E3CkoJoycK1b17CXBCgiURMnJVDwdGn1Bzeq1FPDqqa5jphvFdQUlEWzkm/Pm7D0O2eXGM 8NoDo8nQUIrFPyyymyLW2D+A4qMFTMxf4f/Tc3tu2kKW1lcOAc6O5RdHHG1oBw== From: Antonin Godard Date: Wed, 22 Apr 2026 16:22:37 +0200 Subject: [PATCH 04/16] tools/build-docs-container: add missing leap 16.0 in help message MIME-Version: 1.0 Message-Id: <20260422-third-release-notes-6-0-v1-4-06635e8648d1@bootlin.com> References: <20260422-third-release-notes-6-0-v1-0-06635e8648d1@bootlin.com> In-Reply-To: <20260422-third-release-notes-6-0-v1-0-06635e8648d1@bootlin.com> To: docs@lists.yoctoproject.org Cc: Thomas Petazzoni , Antonin Godard X-Mailer: b4 0.16-dev X-Developer-Signature: v=1; a=openpgp-sha256; l=683; i=antonin.godard@bootlin.com; h=from:subject:message-id; bh=kA/9oXiW7LYw5X/o8i6uFStxCPrTuoa2PdGsdRUl/3M=; b=owEBbQKS/ZANAwAKAdGAQUApo6g2AcsmYgBp6Nm4LrywUttg3v0ErB5hpZl72bjHjIZuIhIV+ fIfR70aTQGJAjMEAAEKAB0WIQSGSHJRiN1AG7mg0//RgEFAKaOoNgUCaejZuAAKCRDRgEFAKaOo NoHoD/47IxOm7uzv6YpKGMtc6i6UdHiimBpqT0DlAA2XfcB5Qjbn9STQmjNIJ/SWr1u6R1zs8Ah w6XPP/8tUJwsS6GB3aCYinjad6UzNFJy0gwt7hTHgeCOU4RUww+VeyidRVo7EpzZoZN9l8Ucls8 OrdzUUZPE/3f+Lq2cMB27qfN3zSTafJ4olhF9U7yPfUjN7X0B1dirFU42s1uAaDsbs73KaO5ZVS aAekIiSXI7KjZYk+ZuEHTta9wmD/OSh/mITymwMCkkgjThQs1OLUVzUKdsPNTvZnWf2NpmmqcQF cBRje973LYVRdJrdy7JzMpF0m4/BpFfWVz/z7AJyg0X3BUD01ty3I7O9JSmtY/vAdqz8ufN4SVV +Yujxjt8Dh2KCDnS2OqUQ7mmMujeVgOxgULzDT4HUmjmESfqI6uR+6PTSHmkdIa132z0Fd8qNzg ppR+HoYMN5qoXSDSZGtAETkIpB6gXBAM8IosGc3holIgoePRTT6xndZe+0j56UWrsQwSbLKfi2w ZxHYWcD83FHwdVRsStJjcvIaLhrGtpBeJ5PfF6hEVLy0yb8TqnN4KfkoPHDcf6VHsj2vumVZ9Ko OihMrnM7zCLkjgZ1ytyVN0HyWWOJtCg5Fox1AZGQx5gdHuu01iiVxwtw0jvW0R3BWMlnXinEfEj OYYVBAJWxk2+YRg== X-Developer-Key: i=antonin.godard@bootlin.com; a=openpgp; fpr=8648725188DD401BB9A0D3FFD180414029A3A836 X-Last-TLS-Session-Version: TLSv1.3 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 22 Apr 2026 14:22:59 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/docs/message/9313 Fixes: e5880b36dfc6 ("ref-manual/system-requirements.rst: add section for openSUSE Leap 16.0") Signed-off-by: Antonin Godard --- documentation/tools/build-docs-container | 1 + 1 file changed, 1 insertion(+) diff --git a/documentation/tools/build-docs-container b/documentation/tools/build-docs-container index a540e81ec..ab8314901 100755 --- a/documentation/tools/build-docs-container +++ b/documentation/tools/build-docs-container @@ -41,6 +41,7 @@ $0 OCI_IMAGE [make arguments...] - fedora:42 - fedora:43 - leap:15.6 + - leap:16.0 - rockylinux:8 - rockylinux:9 - ubuntu:22.04 From patchwork Wed Apr 22 14:22:38 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Antonin Godard X-Patchwork-Id: 86649 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id F09C6F9EDE6 for ; Wed, 22 Apr 2026 14:22:59 +0000 (UTC) Received: from smtpout-04.galae.net (smtpout-04.galae.net [185.171.202.116]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.83816.1776867779012151015 for ; Wed, 22 Apr 2026 07:22:59 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@bootlin.com header.s=dkim header.b=txSa+tQE; spf=pass (domain: bootlin.com, ip: 185.171.202.116, mailfrom: antonin.godard@bootlin.com) Received: from smtpout-01.galae.net (smtpout-01.galae.net [212.83.139.233]) by smtpout-04.galae.net (Postfix) with ESMTPS id 5DA8BC5B1AC for ; Wed, 22 Apr 2026 14:23:36 +0000 (UTC) Received: from mail.galae.net (mail.galae.net [212.83.136.155]) by smtpout-01.galae.net (Postfix) with ESMTPS id 88F1E5FA8F for ; Wed, 22 Apr 2026 14:22:55 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) by localhost (Mailerdaemon) with ESMTPSA id B849F104609BF; Wed, 22 Apr 2026 16:22:54 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bootlin.com; s=dkim; t=1776867775; h=from:subject:date:message-id:to:cc:mime-version:content-type: content-transfer-encoding:in-reply-to:references; bh=MWTq4hvcJGtMWj3y91cLsWXwvqTRJg/B9aP6KKKw9/s=; b=txSa+tQELKB9ChvgcE+6R++Rhj+/NpWhZb19k30mUOIXcHcUr/A5SQD9r7fhtSwSJ7aq0U HXjEc0O2KHFxbPbzpa+QLTKNyjSwUgbxu5YTRZdQFmwxLVVIPDI8BC5Ga9zHqtot8QLzIp rh67zLRKAnm/4j+n4VNhaXRSuRsNIiueO5Gu5CpUvrnnZcf7O1Y8PUZ8Ad1wcbqI0RnDiH k8tt49YkqMAAcpoXSZ/7mTAWrGwk7vvgKMPENEoJxpybt92mcslzhbqFaaeYMv2W6snjA/ So+dSdky6Q5MUhXvkIh4I/X3+2lwih8Ix5og2RYopKqeLMtK2oG5B+Gz5jQI8w== From: Antonin Godard Date: Wed, 22 Apr 2026 16:22:38 +0200 Subject: [PATCH 05/16] tools/build-docs-container: add CentOS 10 support MIME-Version: 1.0 Message-Id: <20260422-third-release-notes-6-0-v1-5-06635e8648d1@bootlin.com> References: <20260422-third-release-notes-6-0-v1-0-06635e8648d1@bootlin.com> In-Reply-To: <20260422-third-release-notes-6-0-v1-0-06635e8648d1@bootlin.com> To: docs@lists.yoctoproject.org Cc: Thomas Petazzoni , Antonin Godard X-Mailer: b4 0.16-dev X-Developer-Signature: v=1; a=openpgp-sha256; l=1033; i=antonin.godard@bootlin.com; h=from:subject:message-id; bh=/8EvO30rwwguCJ0XPHXvdnKjSGV1Ho7Um0yxc/+0iOc=; b=owEBbQKS/ZANAwAKAdGAQUApo6g2AcsmYgBp6Nm43bxcpMhbyYYmgZDDiuWieviF1kX5DLUMg Yrke6C3YDSJAjMEAAEKAB0WIQSGSHJRiN1AG7mg0//RgEFAKaOoNgUCaejZuAAKCRDRgEFAKaOo NjGHD/9JicBBAVQtIDUsZX2avv61TN+gYkd2wurUNbesz2J5sftyHS36a1BbIQ9ThbnKjrlUxEm 2zF7fxkbpNMwPPNrrMCfwp5GN087/DC7b1TDRFCldlZ5Y9ixuSpPFRxxcequ5ZRZEHc9RXIhc7W /qASSn0K9pic+tYmoCgmZ9yKzYkRiEFtw1VtlqLAFJFKytWCOT7yYoq/HaOpjfsJClbiA5/q+Ut 7V4UZRjGKbQ8EhxT8jKa3xzg5I+Y8M0HWTv/lKHIwlq6lw3Ggd7ljYog246iLFYbCU3DnSWdKVx UMq1gTltpShxsQCj7fZQqp8N9ANr6+w3COgDJjYkHO+qUkn4cw693bJ5vAJBa+wCb8AAj+GKUwT i6KVn3j4zdGma2kRbOt0ikHnedK3eaPjVO5ekJLyleuNWLWIsCfIEMwLI7TJxnndIbtQz6TurF0 G+1sa9PUWRUtHX619OlbQ91vMF7r7o+xYoEUKMaZLLgNakVaiKjOrpm4Swhr9NVewu4/9U2D7zZ mA50yccDILFOcWdoUe3LCIpxqwFsY+4FuK6iDeAdT1KbxF3jrhq0cGVGssYs8jofWWU+/48BJDI Ty5ZEI2JKrIJJYt9ag80hqoZGsvgRYPNk3fSSf56XfbtpYeyombXdTb8/NKb6hwri9Uz4l5TaJs OiCBFIe2eZm+kRA== X-Developer-Key: i=antonin.godard@bootlin.com; a=openpgp; fpr=8648725188DD401BB9A0D3FFD180414029A3A836 X-Last-TLS-Session-Version: TLSv1.3 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 22 Apr 2026 14:22:59 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/docs/message/9314 No issue building the documentation, and including the packages from the essential list (INCLUDE_ESSENTIAL_PACKAGES=1). Signed-off-by: Antonin Godard --- documentation/tools/build-docs-container | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/documentation/tools/build-docs-container b/documentation/tools/build-docs-container index ab8314901..37d3d2bb6 100755 --- a/documentation/tools/build-docs-container +++ b/documentation/tools/build-docs-container @@ -36,6 +36,7 @@ $0 OCI_IMAGE [make arguments...] - almalinux:8 - almalinux:9 - centos:stream9 + - centos:stream10 - debian:12 - debian:13 - fedora:42 @@ -98,7 +99,8 @@ main () docs_pdf=tlmgr_docs_pdf.sh pip3=pip3_docs.sh ;; - "centos:stream9"*) + "centos:stream9"*|\ + "centos:stream10"*) containerfile=Containerfile.stream essential=centosstream_essential.sh docs=centosstream_docs.sh From patchwork Wed Apr 22 14:22:39 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Antonin Godard X-Patchwork-Id: 86655 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 73717F9EDEC for ; Wed, 22 Apr 2026 14:23:10 +0000 (UTC) Received: from smtpout-04.galae.net (smtpout-04.galae.net [185.171.202.116]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.83712.1776867779026897573 for ; Wed, 22 Apr 2026 07:23:00 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@bootlin.com header.s=dkim header.b=mvSj+Uy2; spf=pass (domain: bootlin.com, ip: 185.171.202.116, mailfrom: antonin.godard@bootlin.com) Received: from smtpout-01.galae.net (smtpout-01.galae.net [212.83.139.233]) by smtpout-04.galae.net (Postfix) with ESMTPS id F06E0C5B1BE for ; Wed, 22 Apr 2026 14:23:36 +0000 (UTC) Received: from mail.galae.net (mail.galae.net [212.83.136.155]) by smtpout-01.galae.net (Postfix) with ESMTPS id 276F25FA8F for ; Wed, 22 Apr 2026 14:22:56 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) by localhost (Mailerdaemon) with ESMTPSA id 62B6C104609C6; Wed, 22 Apr 2026 16:22:55 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bootlin.com; s=dkim; t=1776867775; h=from:subject:date:message-id:to:cc:mime-version:content-type: content-transfer-encoding:in-reply-to:references; bh=nC6C3wegqbJ6zb1eTT6QjibjNWplsACmhCot8Skbvds=; b=mvSj+Uy2Hx3ES7unPF8lE/Y/p7kG6THjA5h0MWNUK17/UdysuW9lcakUjj4fokw18C3/FG TcdN+uIPhLxQ2Le68EKaAx85FMcIZrEcRMnidmEOjaDjvX1PPX6AoYiA9fY4DCaxZx2o/u qisuip79knjFKRmE4PPJGdp/6LnyjuTpx0jZ7Pbrv+C2o/OpIPDI0ZXGQlujo9d6WlzU4S 637rcI6GJOIXEx+k9pxpTwq0EEuwQu+Hj8iZsmNXNtzLjSIHdPQqfYYfcQO7mYOTyzylrs 5hzDygIFHXroUZ5P05q+Y/Y3CP9fAb96WT7UVg5zicBIhVRbH5MBXrXRCf51rg== From: Antonin Godard Date: Wed, 22 Apr 2026 16:22:39 +0200 Subject: [PATCH 06/16] ref-manual/system-requirements.rst: add CentOS 10 as a supported distro MIME-Version: 1.0 Message-Id: <20260422-third-release-notes-6-0-v1-6-06635e8648d1@bootlin.com> References: <20260422-third-release-notes-6-0-v1-0-06635e8648d1@bootlin.com> In-Reply-To: <20260422-third-release-notes-6-0-v1-0-06635e8648d1@bootlin.com> To: docs@lists.yoctoproject.org Cc: Thomas Petazzoni , Antonin Godard X-Mailer: b4 0.16-dev X-Developer-Signature: v=1; a=openpgp-sha256; l=684; i=antonin.godard@bootlin.com; h=from:subject:message-id; bh=Kat+2VyDK29np8t9Rb48cNVVFDRWfQ1blj20m8pZ1Qw=; b=owEBbQKS/ZANAwAKAdGAQUApo6g2AcsmYgBp6Nm42LPPfQMAHPIpTqvY7pSj/upd+J+5rLSFt 3wcdv+xpWGJAjMEAAEKAB0WIQSGSHJRiN1AG7mg0//RgEFAKaOoNgUCaejZuAAKCRDRgEFAKaOo NvT8EACgG8fmD5keN7gYyllWc60fOeZt9nCqfDmTXD6lcPsyGXYt7qzmhQKPwyblOuUu4cNc8fe yQ6iJprTYGkhAYjwrZctGZ2PDUCOwOoaIEhvezRv/okKRf08uuZQzU3rP4WlNGuF4RDxz3t61ug 6cqz1bAlyiWvp+wkCIc8jQ90NTw5n03219+k6VQRyCcTnFlovHV9ehMMxn3qnrjfeqpA5O9B5Pk MqNCZPETEvs61iXtoD4UJUNGCjA3vqeYVq6mREEkXRO8oqyrcO2mFQe5M9Mk//U/jqSyOYn53Ay yl+mkTte1kACo3OlukVXtGb/jXfzNY3nXoflA6xnzo/cjd/plpIQYbqlFpqWSdmCmwKchngMZsL K0Dhakv9Mt+w7ehx9oziRgaCQTvhUK0Yzn6qhHAbZny+YAYepmKaaNUeur3WCJxtTsPJis0ElZ+ fM2HBjPXzH+fqZf3L7Ce8g+q7q3r7mtjcAChnhV98dzseZSgfVolGf33XLOeiawCYA+j9RdZ07v 9tFhOHPsCj9WOgsgrUJEy+UzB9EWX6R7cSyVpHPwgRXLxQ/ihR8W1BP7sSL4KzgonTyfqFSGAhC uaA54miRqFYzZdfeXLA1vZJ/GPQF0Mecpnnpi7vMPCzBvj8QJrSqV1/APrnVoWU4NVa2fII3oi0 isTpdubfCNN/boA== X-Developer-Key: i=antonin.godard@bootlin.com; a=openpgp; fpr=8648725188DD401BB9A0D3FFD180414029A3A836 X-Last-TLS-Session-Version: TLSv1.3 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 22 Apr 2026 14:23:10 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/docs/message/9316 The current list of packages for CentOS 9 applies for CentOS 10. Signed-off-by: Antonin Godard --- documentation/ref-manual/system-requirements.rst | 1 + 1 file changed, 1 insertion(+) diff --git a/documentation/ref-manual/system-requirements.rst b/documentation/ref-manual/system-requirements.rst index 05c852043..5171ca6ba 100644 --- a/documentation/ref-manual/system-requirements.rst +++ b/documentation/ref-manual/system-requirements.rst @@ -65,6 +65,7 @@ supported on the following distributions: - AlmaLinux 8 - AlmaLinux 9 - CentOS Stream 9 +- CentOS Stream 10 - Debian 11 - Debian 12 - Debian 13 From patchwork Wed Apr 22 14:22:40 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Antonin Godard X-Patchwork-Id: 86650 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4890EF9EDE8 for ; Wed, 22 Apr 2026 14:23:00 +0000 (UTC) Received: from smtpout-04.galae.net (smtpout-04.galae.net [185.171.202.116]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.83817.1776867779160082277 for ; Wed, 22 Apr 2026 07:22:59 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@bootlin.com header.s=dkim header.b=lmYcOCVJ; spf=pass (domain: bootlin.com, ip: 185.171.202.116, mailfrom: antonin.godard@bootlin.com) Received: from smtpout-01.galae.net (smtpout-01.galae.net [212.83.139.233]) by smtpout-04.galae.net (Postfix) with ESMTPS id 11CF8C5C3C8 for ; Wed, 22 Apr 2026 14:23:38 +0000 (UTC) Received: from mail.galae.net (mail.galae.net [212.83.136.155]) by smtpout-01.galae.net (Postfix) with ESMTPS id 3CD6C5FA8F for ; Wed, 22 Apr 2026 14:22:57 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) by localhost (Mailerdaemon) with ESMTPSA id 043CE10460BAD; Wed, 22 Apr 2026 16:22:55 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bootlin.com; s=dkim; t=1776867776; h=from:subject:date:message-id:to:cc:mime-version:content-type: content-transfer-encoding:in-reply-to:references; bh=i8D+u+sgbjanTqf59uJEH1qcp5/GG2BaPpi3OKmBVYY=; b=lmYcOCVJfIwMSMEoXuZwPg+S4FINzzr0iv2EWRF/XYpWemDY0B0FTpxKCCsq9FvoyEbxcl Ij//evgsIL3SaNKwkTgPQrfeaJBCuZ1HwIu0ZEYXomtZ3uqRptvHaPQfyB0SI84lP7HqLg /56vBdAoIXSMFJF7h5NGbS9ZEogsqEXPfbBqTdCgCEzCR57PiEc3JvsAaZyaJl0lIZSgaF CwKYpWAtdx7v8crEIZ8bMJPkoGPnlCvJLCftwSPgpvKs1IvSScQ3oxqnoF8UGV/g3gghSw JeBmW6Ky4yp8EIi9/lHHe9kQfvko2Y4SM+634pZtPKF7G9HP20ZiC+m/wVsiog== From: Antonin Godard Date: Wed, 22 Apr 2026 16:22:40 +0200 Subject: [PATCH 07/16] docs-wide: drop documentation for cve-check and variables MIME-Version: 1.0 Message-Id: <20260422-third-release-notes-6-0-v1-7-06635e8648d1@bootlin.com> References: <20260422-third-release-notes-6-0-v1-0-06635e8648d1@bootlin.com> In-Reply-To: <20260422-third-release-notes-6-0-v1-0-06635e8648d1@bootlin.com> To: docs@lists.yoctoproject.org Cc: Thomas Petazzoni , Antonin Godard X-Mailer: b4 0.16-dev X-Developer-Signature: v=1; a=openpgp-sha256; l=30000; i=antonin.godard@bootlin.com; h=from:subject:message-id; bh=1SMgdHljK07tjbRDv3E8vhhIEf8Kg0M0GwoqTPbyyx8=; b=owEBbQKS/ZANAwAKAdGAQUApo6g2AcsmYgBp6Nm49g3bmZEgKKazwxYPKobtkwYyPB7cK1PTZ bm4DsNwVsWJAjMEAAEKAB0WIQSGSHJRiN1AG7mg0//RgEFAKaOoNgUCaejZuAAKCRDRgEFAKaOo NgM1D/oDB8BjMKG4DehrUMY9NFBgk5ZkGfirE32hxEyibyW5Q5YN4keD6Po4gmL1433XvBNvNmO e9UeLsg3a1fKA0QY7Ds5y1pzEWvVPagbaJVUvH97JAtnPJm9lHdfMrksstdyqBEK+++l449f8/v H6lsDv5iA7UkI7rpuy2B1FK476PYJduLD8bx/7nrVcl5k5z/DHN3YuTVgN0gkTJfZ69tuF/Z5bD CR53nZlPae3oE7++2BVwY2bHwPhO+emoO1alLltUjYd0pLbox+2jje9exQuAoa6PB+8nH4RaxnM K4ax9HDO5lnDdtKm9x69X7PwFuHPSscivwc76aJ7kkZtYcoioRl+7B7feLx/n5SMW92CeAQppBO NottfWiNw0V4bjikNmCYN77sdROxbFPT7ze9Z2myFk33EJvwh8LUgiDmifq3GMx/seVKQl7e5zX h40hc3adiAI2RZWlf/Mff6Nd0nQsUuVNyxl06kiwfB/TmOL3Ppj+5hBbNMoiBNgN+Kw1Q79wSrm 6O9z4i662nGV2vjnyTKaX84yriOqSuw+qMg1ykJBEISOeLMtuwdssAqyRRF5EVogWgIDwuo6xVY ptDiEvwLcbkDNZmZMEHkJXa4gDDSCmXaSW86ZHdyn2ySLUabDEKfyWjfJ2FN2EGuIZB62MpNhWe ZUi7fB+dURonMIA== X-Developer-Key: i=antonin.godard@bootlin.com; a=openpgp; fpr=8648725188DD401BB9A0D3FFD180414029A3A836 X-Last-TLS-Session-Version: TLSv1.3 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 22 Apr 2026 14:23:00 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/docs/message/9315 Drop the cve-check class documentation and all variable strictly tied to the class. The vex class is still there and uses the same namespace to name its variables, so keep the variables that are still used in the vex class. The current vulnerabilities document is out-of-date, but references to cve-check are still removed there for bisectability, and is rewritten in the next commits. Signed-off-by: Antonin Godard --- documentation/migration-guides/migration-3.0.rst | 4 +- documentation/migration-guides/migration-5.0.rst | 2 +- .../migration-guides/release-notes-4.0.23.rst | 2 +- .../migration-guides/release-notes-4.1.1.rst | 4 +- .../migration-guides/release-notes-4.1.rst | 4 +- .../migration-guides/release-notes-5.0.5.rst | 2 +- .../migration-guides/release-notes-5.0.rst | 4 +- .../migration-guides/release-notes-5.1.3.rst | 2 +- .../migration-guides/release-notes-5.1.rst | 8 +-- .../migration-guides/release-notes-5.2.rst | 24 +++---- .../migration-guides/release-notes-5.3.rst | 2 +- .../migration-guides/release-notes-6.0.rst | 2 +- documentation/ref-manual/classes.rst | 78 +--------------------- documentation/ref-manual/variables.rst | 77 +++------------------ documentation/security-manual/vulnerabilities.rst | 12 ++-- 15 files changed, 47 insertions(+), 180 deletions(-) diff --git a/documentation/migration-guides/migration-3.0.rst b/documentation/migration-guides/migration-3.0.rst index 67fcac41f..f5201dcac 100644 --- a/documentation/migration-guides/migration-3.0.rst +++ b/documentation/migration-guides/migration-3.0.rst @@ -49,7 +49,7 @@ The following recipes have been removed. - ``core-image-lsb-sdk``: Part of removed LSB support. - ``cve-check-tool``: Functionally replaced by the ``cve-update-db`` - recipe and :ref:`ref-classes-cve-check` class. + recipe and ``cve-check`` class. - ``eglinfo``: No longer maintained. ``eglinfo`` from ``mesa-demos`` is an adequate and maintained alternative. @@ -144,7 +144,7 @@ CVE Checking ------------ ``cve-check-tool`` has been functionally replaced by a new -``cve-update-db`` recipe and functionality built into the :ref:`ref-classes-cve-check` +``cve-update-db`` recipe and functionality built into the ``cve-check`` class. The result uses NVD JSON data feeds rather than the deprecated XML feeds that ``cve-check-tool`` was using, supports CVSSv3 scoring, and makes other improvements. diff --git a/documentation/migration-guides/migration-5.0.rst b/documentation/migration-guides/migration-5.0.rst index cf413300c..a0d0cc2df 100644 --- a/documentation/migration-guides/migration-5.0.rst +++ b/documentation/migration-guides/migration-5.0.rst @@ -186,7 +186,7 @@ Miscellaneous changes - ``recipetool`` now prefixes the names of recipes created for Python modules with ``python3-``. -- The :ref:`ref-classes-cve-check` class no longer produces a warning for +- The ``cve-check`` class no longer produces a warning for remote patches --- it only logs a note and does not try to fetch the patch in order to scan it for issues or CVE numbers. However, CVE number references in remote patch file names will now be picked up. diff --git a/documentation/migration-guides/release-notes-4.0.23.rst b/documentation/migration-guides/release-notes-4.0.23.rst index abf7c6975..271a6340f 100644 --- a/documentation/migration-guides/release-notes-4.0.23.rst +++ b/documentation/migration-guides/release-notes-4.0.23.rst @@ -80,7 +80,7 @@ Fixes in Yocto-4.0.23 - ref-manual: add missing :term:`OPKGBUILDCMD` variable - ref-manual: devtool-reference: document missing commands - ref-manual: devtool-reference: refresh example outputs -- ref-manual: introduce :term:`CVE_CHECK_REPORT_PATCHED` variable +- ref-manual: introduce ``CVE_CHECK_REPORT_PATCHED`` variable - ref-manual: release-process: add a reference to the doc's release - ref-manual: release-process: refresh the current LTS releases - ref-manual: release-process: update releases.svg diff --git a/documentation/migration-guides/release-notes-4.1.1.rst b/documentation/migration-guides/release-notes-4.1.1.rst index 8393bc532..23ea4727c 100644 --- a/documentation/migration-guides/release-notes-4.1.1.rst +++ b/documentation/migration-guides/release-notes-4.1.1.rst @@ -131,8 +131,8 @@ Fixes in Yocto-4.1.1 - ref-manual/faq.rst: update references to products built with OE / Yocto Project - ref-manual/variables.rst: clarify sentence - ref-manual: add a note to ssh-server-dropbear feature -- ref-manual: add :term:`CVE_CHECK_SHOW_WARNINGS` -- ref-manual: add :term:`CVE_DB_UPDATE_INTERVAL` +- ref-manual: add ``CVE_CHECK_SHOW_WARNINGS`` +- ref-manual: add ``CVE_DB_UPDATE_INTERVAL`` - ref-manual: add :term:`DEV_PKG_DEPENDENCY` - ref-manual: add :term:`DISABLE_STATIC` - ref-manual: add :term:`FIT_PAD_ALG` diff --git a/documentation/migration-guides/release-notes-4.1.rst b/documentation/migration-guides/release-notes-4.1.rst index 3ad3611b8..81d541fac 100644 --- a/documentation/migration-guides/release-notes-4.1.rst +++ b/documentation/migration-guides/release-notes-4.1.rst @@ -47,11 +47,11 @@ New Features / Enhancements in 4.1 - CVE checking enhancements: - - New :term:`CVE_DB_UPDATE_INTERVAL` variable to allow specifying the CVE database minimum update interval (and default to once per day) + - New ``CVE_DB_UPDATE_INTERVAL`` variable to allow specifying the CVE database minimum update interval (and default to once per day) - Added JSON format to summary output - Added support for Ignored CVEs - Enable recursive CVE checking also for ``do_populate_sdk`` - - New :term:`CVE_CHECK_SHOW_WARNINGS` variable to disable unpatched CVE warning messages + - New ``CVE_CHECK_SHOW_WARNINGS`` variable to disable unpatched CVE warning messages - The :ref:`ref-classes-pypi` class now defaults :term:`CVE_PRODUCT` from :term:`PYPI_PACKAGE` - Added current kernel CVEs to ignore list since we stay as close to the kernel stable releases as we can - Optimisations to avoid dependencies on fetching diff --git a/documentation/migration-guides/release-notes-5.0.5.rst b/documentation/migration-guides/release-notes-5.0.5.rst index c8cf9a85d..7aadaeae4 100644 --- a/documentation/migration-guides/release-notes-5.0.5.rst +++ b/documentation/migration-guides/release-notes-5.0.5.rst @@ -83,7 +83,7 @@ Fixes in Yocto-5.0.5 - ref-manual: devtool-reference: document missing commands - ref-manual: devtool-reference: refresh example outputs - ref-manual: faq: add q&a on class appends -- ref-manual: introduce :term:`CVE_CHECK_REPORT_PATCHED` variable +- ref-manual: introduce ``CVE_CHECK_REPORT_PATCHED`` variable - ref-manual: merge patch-status-* to patch-status - ref-manual: release-process: add a reference to the doc's release - ref-manual: release-process: refresh the current LTS releases diff --git a/documentation/migration-guides/release-notes-5.0.rst b/documentation/migration-guides/release-notes-5.0.rst index de11bd174..31b1d3da7 100644 --- a/documentation/migration-guides/release-notes-5.0.rst +++ b/documentation/migration-guides/release-notes-5.0.rst @@ -10,7 +10,7 @@ New Features / Enhancements in 5.0 - New variables: - - :term:`CVE_DB_INCR_UPDATE_AGE_THRES`: Configure the maximum age of the + - ``CVE_DB_INCR_UPDATE_AGE_THRES``: Configure the maximum age of the internal CVE database for incremental update (instead of a full redownload). @@ -277,7 +277,7 @@ New Features / Enhancements in 5.0 - Improve incremental CVE database download from NVD. Rejected CVEs are removed, configuration is kept up-to-date. The age threshold for - incremental update can be configured with :term:`CVE_DB_INCR_UPDATE_AGE_THRES` + incremental update can be configured with ``CVE_DB_INCR_UPDATE_AGE_THRES`` variable. - Toaster Web UI improvements: diff --git a/documentation/migration-guides/release-notes-5.1.3.rst b/documentation/migration-guides/release-notes-5.1.3.rst index 641cb8d50..13cf48bae 100644 --- a/documentation/migration-guides/release-notes-5.1.3.rst +++ b/documentation/migration-guides/release-notes-5.1.3.rst @@ -40,7 +40,7 @@ Fixes in Yocto-5.1.3 - cmake: apply parallel build settings to ptest tasks - contributor-guide/submit-changes: add policy on AI generated code - cve-check: fix cvesInRecord -- cve-check: restore :term:`CVE_CHECK_SHOW_WARNINGS` functionality +- cve-check: restore ``CVE_CHECK_SHOW_WARNINGS`` functionality - dev-manual/building: document the initramfs-framework recipe - devtool: ide-sdk recommend :term:`DEBUG_BUILD` - devtool: ide-sdk remove the plugin from eSDK installer diff --git a/documentation/migration-guides/release-notes-5.1.rst b/documentation/migration-guides/release-notes-5.1.rst index bab0c1458..2f049690a 100644 --- a/documentation/migration-guides/release-notes-5.1.rst +++ b/documentation/migration-guides/release-notes-5.1.rst @@ -11,7 +11,7 @@ New Features / Enhancements in 5.1 - New variables: - - :term:`CVE_CHECK_MANIFEST_JSON_SUFFIX`: suffix for the CVE JSON manifest file. + - ``CVE_CHECK_MANIFEST_JSON_SUFFIX``: suffix for the CVE JSON manifest file. - :term:`PRSERV_UPSTREAM`: Upstream PR service (``host:port``) for the local PR server to connect to. @@ -235,12 +235,12 @@ New Features / Enhancements in 5.1 - Fetch release tarballs instead of git checkouts to reduce disk usage. -- :ref:`ref-classes-cve-check` changes: +- ``cve-check`` changes: - - The class :ref:`ref-classes-cve-check` now uses a local copy of the NVD + - The class ``cve-check`` now uses a local copy of the NVD database during builds. - - New statuses can be reported by :ref:`ref-classes-cve-check`: + - New statuses can be reported by ``cve-check``: - ``fix-file-included``: when a fix file has been included (set automatically) - ``version-not-in-range``: version number NOT in the vulnerable range (set automatically) diff --git a/documentation/migration-guides/release-notes-5.2.rst b/documentation/migration-guides/release-notes-5.2.rst index 5fc426c05..b5483c903 100644 --- a/documentation/migration-guides/release-notes-5.2.rst +++ b/documentation/migration-guides/release-notes-5.2.rst @@ -35,8 +35,8 @@ New Features / Enhancements in |yocto-ver| install tags (``--tags``) to the ``meson install`` command during the :ref:`ref-tasks-install` task. - - :ref:`ref-classes-cve-check`: :term:`NVD_DB_VERSION` to allow choosing the - CVE feed when using the :ref:`ref-classes-cve-check` class. + - ``cve-check``: ``NVD_DB_VERSION`` to allow choosing the + CVE feed when using the ``cve-check`` class. - The :term:`BB_USE_HOME_NPMRC` controls whether or not BitBake uses the user's ``.npmrc`` file within their home directory within the npm fetcher. @@ -479,7 +479,7 @@ New Features / Enhancements in |yocto-ver| - ``openssh``: be more restrictive on private key file permissions by setting them from the :ref:`ref-tasks-install` task. -- :ref:`ref-classes-cve-check` changes: +- ``cve-check`` changes: - Update the :term:`DL_DIR` database location name (``${DL_DIR}/CVE_CHECK2``). @@ -490,15 +490,15 @@ New Features / Enhancements in |yocto-ver| - Fix malformed cve status description with ``:`` characters. - - Restore the :term:`CVE_CHECK_SHOW_WARNINGS` variable and functionality. It + - Restore the ``CVE_CHECK_SHOW_WARNINGS`` variable and functionality. It currently prints warning message for every unpatched CVE the - :ref:`ref-classes-cve-check` class finds. + ``cve-check`` class finds. - - Users can control the NVD database source using the :term:`NVD_DB_VERSION` + - Users can control the NVD database source using the ``NVD_DB_VERSION`` variable with possible values ``NVD1``, ``NVD2``, or ``FKIE``. - The default feed for CVEs is now ``FKIE`` instead of ``NVD2`` (see - :term:`NVD_DB_VERSION` for more information). + ``NVD_DB_VERSION`` for more information). - New :term:`PACKAGECONFIG` options for individual recipes: @@ -621,8 +621,8 @@ New Features / Enhancements in |yocto-ver| - ``cve-update-nvd2-native``: updating the database will now result in an error if :term:`BB_NO_NETWORK` is enabled and - :term:`CVE_DB_UPDATE_INTERVAL` is not set to ``-1``. Users can control the - NVD database source using the :term:`NVD_DB_VERSION` variable with + ``CVE_DB_UPDATE_INTERVAL`` is not set to ``-1``. Users can control the + NVD database source using the ``NVD_DB_VERSION`` variable with possible values ``NVD1``, ``NVD2``, or ``FKIE``. - ``systemtap``: add ``--with-extra-version="oe"`` configure option to @@ -714,10 +714,10 @@ New Features / Enhancements in |yocto-ver| Known Issues in |yocto-ver| ~~~~~~~~~~~~~~~~~~~~~~~~~~~ -- The :ref:`ref-classes-cve-check` class is based on the `National +- The ``cve-check`` class is based on the `National Vulnerability Database `__ (NVD). Since the beginning of 2024, the maintainers of this database have stopped annotating CVEs with - the affected CPEs. This prevents the :ref:`ref-classes-cve-check` class to + the affected CPEs. This prevents the ``cve-check`` class to properly report CVEs as CPEs are used to match Yocto recipes with CVEs affecting them. As a result, the current CVE reports may look good but the reality is that some vulnerabilities are just not reported. @@ -726,7 +726,7 @@ Known Issues in |yocto-ver| '__ for entries concerning software they use, or follow release notes of such projects closely. - Please note, that the :ref:`ref-classes-cve-check` tool has always been a + Please note, that the ``cve-check`` tool has always been a helper tool, and users are advised to always review the final result. Results of an automatic scan may not take into account configuration options, compiler options and other factors. diff --git a/documentation/migration-guides/release-notes-5.3.rst b/documentation/migration-guides/release-notes-5.3.rst index 0ba0fbe98..1655ca90f 100644 --- a/documentation/migration-guides/release-notes-5.3.rst +++ b/documentation/migration-guides/release-notes-5.3.rst @@ -778,7 +778,7 @@ New Features / Enhancements in |yocto-ver| branch is no longer updated `. -- :ref:`ref-classes-cve-check` class changes: +- ``cve-check`` class changes: - ``cve-update-db-native``: FKIE: use Secondary metric if there is no Primary metric. diff --git a/documentation/migration-guides/release-notes-6.0.rst b/documentation/migration-guides/release-notes-6.0.rst index 2ae182c8c..31d4cdfce 100644 --- a/documentation/migration-guides/release-notes-6.0.rst +++ b/documentation/migration-guides/release-notes-6.0.rst @@ -572,7 +572,7 @@ New Features / Enhancements in |yocto-ver| :doc:`/security-reference/index`. It is intended to document how to report vulnerabilities to the Yocto Project security team. -- :ref:`ref-classes-cve-check`-related changes: +- :ref:`ref-classes-sbom-cve-check`-related changes: - ``cve-update-nvd2-native``: Use maximum CVSS score when extracting it from multiple sources (:oecore_rev:`4f6192f3165de0bc2499e045607c7e7ffd878a4b`) diff --git a/documentation/ref-manual/classes.rst b/documentation/ref-manual/classes.rst index d66c9c68b..2905af5ed 100644 --- a/documentation/ref-manual/classes.rst +++ b/documentation/ref-manual/classes.rst @@ -596,78 +596,6 @@ cross-compilation tools used for building SDKs. See the section in the Yocto Project Overview and Concepts Manual for more discussion on these cross-compilation tools. -.. _ref-classes-cve-check: - -``cve-check`` -============= - -The :ref:`ref-classes-cve-check` class looks for known CVEs (Common Vulnerabilities -and Exposures) while building with BitBake. This class is meant to be -inherited globally from a configuration file:: - - INHERIT += "cve-check" - -To filter out obsolete CVE database entries which are known not to impact -software from :term:`OpenEmbedded-Core (OE-Core)`, add the following line to the -build configuration file:: - - include cve-extra-exclusions.inc - -You can also look for vulnerabilities in specific packages by passing -``-c cve_check`` to BitBake. - -After building the software with Bitbake, CVE check output reports are available in ``tmp/deploy/cve`` -and image specific summaries in ``tmp/deploy/images/*.json`` files. - -When building, the CVE checker will emit build time warnings for any detected -issues which are in the state ``Unpatched``, meaning that CVE issue seems to affect the software component -and version being compiled and no patches to address the issue are applied. Other states -for detected CVE issues are: ``Patched`` meaning that a patch to address the issue is already -applied, and ``Ignored`` meaning that the issue can be ignored. - -The ``Patched`` state of a CVE issue is detected from patch files with the format -``CVE-ID.patch``, e.g. ``CVE-2019-20633.patch``, in the :term:`SRC_URI` and using -CVE metadata of format ``CVE: CVE-ID`` in the commit message of the patch file. - -.. note:: - - Commit message metadata (``CVE: CVE-ID`` in a patch header) will not be scanned - in any patches that are remote, i.e. that are anything other than local files - referenced via ``file://`` in SRC_URI. However, a ``CVE-ID`` in a remote patch - file name itself will be registered. - -If the recipe adds ``CVE-ID`` as flag of the :term:`CVE_STATUS` variable with status -mapped to ``Ignored``, then the CVE state is reported as ``Ignored``:: - - CVE_STATUS[CVE-2020-15523] = "not-applicable-platform: Issue only applies on Windows" - -If CVE check reports that a recipe contains false positives or false negatives, these may be -fixed in recipes by adjusting the CVE product name using :term:`CVE_PRODUCT` and :term:`CVE_VERSION` variables. -:term:`CVE_PRODUCT` defaults to the plain recipe name :term:`BPN` which can be adjusted to one or more CVE -database vendor and product pairs using the syntax:: - - CVE_PRODUCT = "flex_project:flex" - -where ``flex_project`` is the CVE database vendor name and ``flex`` is the product name. Similarly -if the default recipe version :term:`PV` does not match the version numbers of the software component -in upstream releases or the CVE database, then the :term:`CVE_VERSION` variable can be used to set the -CVE database compatible version number, for example:: - - CVE_VERSION = "2.39" - -Any bugs or missing or incomplete information in the CVE database entries should be fixed in the CVE database -via the `NVD feedback form `__. - -Users should note that security is a process, not a product, and thus also CVE checking, analyzing results, -patching and updating the software should be done as a regular process. The data and assumptions -required for CVE checker to reliably detect issues are frequently broken in various ways. -These can only be detected by reviewing the details of the issues and iterating over the generated reports, -and following what happens in other Linux distributions and in the greater open source community. - -You will find some more details in the -":ref:`security-manual/vulnerabilities:checking for vulnerabilities`" -section in the Development Tasks Manual. - .. _ref-classes-cython: ``cython`` @@ -3818,8 +3746,7 @@ using the Vala programming language. ======== The :ref:`ref-classes-vex` class is used to generate metadata needed by external -tools to check for vulnerabilities, for example CVEs. It can be used as a -replacement for :ref:`ref-classes-cve-check`. +tools to check for vulnerabilities, for example CVEs. In order to use this class, inherit the class in the ``local.conf`` file and it will add the ``generate_vex`` task for every recipe:: @@ -3830,9 +3757,6 @@ If an image is built it will generate a report in :term:`DEPLOY_DIR_IMAGE` for all the packages used, it will also generate a file for all recipes used in the build. -Variables use the ``CVE_CHECK`` prefix to keep compatibility with the -:ref:`ref-classes-cve-check` class. - Example usage:: bitbake -c generate_vex openssl diff --git a/documentation/ref-manual/variables.rst b/documentation/ref-manual/variables.rst index e713204e3..0fcf81299 100644 --- a/documentation/ref-manual/variables.rst +++ b/documentation/ref-manual/variables.rst @@ -1977,42 +1977,22 @@ system and gives an overview of their function and contents. variable only in certain contexts (e.g. when building for kernel and kernel module recipes). - :term:`CVE_CHECK_CREATE_MANIFEST` - Specifies whether to create a CVE manifest to place in the deploy - directory. The default is "1". - :term:`CVE_CHECK_IGNORE` This variable is deprecated and should be replaced by :term:`CVE_STATUS`. :term:`CVE_CHECK_MANIFEST_JSON` - Specifies the path to the CVE manifest in JSON format. See - :term:`CVE_CHECK_CREATE_MANIFEST`. - - :term:`CVE_CHECK_MANIFEST_JSON_SUFFIX` - Allows to modify the JSON manifest suffix. See - :term:`CVE_CHECK_MANIFEST_JSON`. - - :term:`CVE_CHECK_REPORT_PATCHED` - Specifies whether or not the :ref:`ref-classes-cve-check` - class should report patched or ignored CVEs. The default is "1", but you - may wish to set it to "0" if you do not need patched or ignored CVEs in - the logs. - - :term:`CVE_CHECK_SHOW_WARNINGS` - Specifies whether or not the :ref:`ref-classes-cve-check` - class should generate warning messages on the console when unpatched - CVEs are found. The default is "1", but you may wish to set it to "0" if - you are already examining/processing the logs after the build has - completed and thus do not need the warning messages. + When inheriting the :ref:`ref-classes-vex` class, this variable specifies + the path to the CVE manifest in JSON format. :term:`CVE_CHECK_SKIP_RECIPE` - The list of package names (:term:`PN`) for which - CVEs (Common Vulnerabilities and Exposures) are ignored. + When inheriting the :ref:`ref-classes-vex` class, the variable specifies + the list of package names (:term:`PN`) for which CVEs (Common + Vulnerabilities and Exposures) are ignored. :term:`CVE_CHECK_STATUSMAP` Mapping variable for all possible reasons of :term:`CVE_STATUS`: ``Patched``, ``Unpatched`` and ``Ignored``. - See :ref:`ref-classes-cve-check` or ``meta/conf/cve-check-map.conf`` for more details:: + See :oecore_path:`meta/conf/cve-check-map.conf` for more details:: CVE_CHECK_STATUSMAP[cpe-incorrect] = "Ignored" @@ -2023,18 +2003,6 @@ system and gives an overview of their function and contents. CVE_CHECK_VEX_JUSTIFICATION[not-applicable-config] = "vulnerableCodeNotPresent" - :term:`CVE_DB_INCR_UPDATE_AGE_THRES` - Specifies the maximum age of the CVE database in seconds for an - incremental update (instead of a full-download). Use "0" to force a - full-download. - - :term:`CVE_DB_UPDATE_INTERVAL` - Specifies the CVE database update interval in seconds, as used by - ``cve-update-db-native``. The default value is "86400" i.e. once a day - (24*60*60). If the value is set to "0" then the update will be forced - every time. Alternatively, a negative value e.g. "-1" will disable - updates entirely. - :term:`CVE_PRODUCT` In a recipe, defines the name used to match the recipe name against the name in the upstream `NIST CVE database `__. @@ -2085,12 +2053,14 @@ system and gives an overview of their function and contents. :term:`CVE_VERSION` In a recipe, defines the version used to match the recipe version against the version in the `NIST CVE database `__ - when usign :ref:`ref-classes-cve-check`. + when using the :ref:`ref-classes-vex` or :ref:`ref-classes-create-spdx` + class. The default is ${:term:`PV`} but if recipes use custom version numbers which do not map to upstream software component release versions and the versions used in the CVE database, then this variable can be used to set the - version number for :ref:`ref-classes-cve-check`. Example:: + version number for :ref:`ref-classes-vex` or + :ref:`ref-classes-create-spdx`. Example:: CVE_VERSION = "2.39" @@ -6548,33 +6518,6 @@ system and gives an overview of their function and contents. NON_MULTILIB_RECIPES = "grub grub-efi make-mod-scripts ovmf u-boot" - :term:`NVD_DB_VERSION` - The :term:`NVD_DB_VERSION` variable allows choosing the CVE feed when - using the :ref:`ref-classes-cve-check` class. It can be one of: - - - ``FKIE`` (default): the `FKIE-CAD `__ - feed reconstruction - - ``NVD2``: the NVD feed with API version 2 - - ``NVD1``: the NVD JSON feed (deprecated) - - In case of a malformed feed name, the ``NVD2`` feed is selected and an - error is printed. - - :term:`NVDCVE_API_KEY` - The NVD API key used to retrieve data from the CVE database when - using :ref:`ref-classes-cve-check`. - - By default, no API key is used, which results in larger delays between API - requests and limits the number of queries to the public rate limits posted - at the `NVD developer's page `__. - - NVD API keys can be requested through the - `Request an API Key `__ - page. You can set this variable to the NVD API key in your ``local.conf`` file. - Example:: - - NVDCVE_API_KEY = "fe753&7a2-1427-347d-23ff-b2e2b7ca5f3" - :term:`OBJCOPY` The minimal command and arguments to run :manpage:`objcopy `. diff --git a/documentation/security-manual/vulnerabilities.rst b/documentation/security-manual/vulnerabilities.rst index e6135a525..983e1548c 100644 --- a/documentation/security-manual/vulnerabilities.rst +++ b/documentation/security-manual/vulnerabilities.rst @@ -28,7 +28,7 @@ Vulnerability check at build time ================================= To enable a check for CVE security vulnerabilities using -:ref:`ref-classes-cve-check` in the specific image or target you are building, +``cve-check`` in the specific image or target you are building, add the following setting to your configuration:: INHERIT += "cve-check" @@ -58,7 +58,7 @@ analysis, it has been deemed to ignore the issue as it for example affects the software component on a different operating system platform. By default, no NVD API key is used to retrieve data from the CVE database, which -results in larger delays between NVD API requests. See the :term:`NVDCVE_API_KEY` +results in larger delays between NVD API requests. See the ``NVDCVE_API_KEY`` documentation on how to request and set a NVD API key. After a build with CVE check enabled, reports for each compiled source recipe will be @@ -145,7 +145,7 @@ It is also possible to check the CVE status of individual packages as follows:: Fixing CVE product name and version mappings ============================================ -By default, :ref:`ref-classes-cve-check` uses the recipe name :term:`BPN` as CVE +By default, ``cve-check`` uses the recipe name :term:`BPN` as CVE product name when querying the CVE database. If this mapping contains false positives, e.g. some reported CVEs are not for the software component in question, or false negatives like some CVEs are not found to impact the recipe when they should, then the problems can be @@ -288,7 +288,7 @@ the :term:`CVE_CHECK_SKIP_RECIPE` variable. Implementation details ====================== -Here's what the :ref:`ref-classes-cve-check` class does to find unpatched CVE IDs. +Here's what the ``cve-check`` class does to find unpatched CVE IDs. First the code goes through each patch file provided by a recipe. If a valid CVE ID is found in the name of the file, the corresponding CVE is considered as patched. @@ -389,7 +389,7 @@ Don't forget to update your kernel recipe with:: include cve-exclusion_6.12.inc Then the CVE information will automatically be added in the -:ref:`ref-classes-cve-check` or :ref:`ref-classes-vex` report. +``cve-check`` or :ref:`ref-classes-vex` report. ``improve_kernel_cve_report.py`` -------------------------------- @@ -402,7 +402,7 @@ CVEs by analyzing the files used to build the kernel. The script is decoupled fr the build and can be run outside of the :term:`BitBake` environment. The script uses the output from the :ref:`ref-classes-vex` or -:ref:`ref-classes-cve-check` class as input, together with CVE information from +``cve-check`` class as input, together with CVE information from the Linux kernel CNA to enrich the ``cve-summary.json`` file with updated CVE information. From patchwork Wed Apr 22 14:22:41 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Antonin Godard X-Patchwork-Id: 86657 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9B3B2F9EDF3 for ; Wed, 22 Apr 2026 14:23:10 +0000 (UTC) Received: from smtpout-04.galae.net (smtpout-04.galae.net [185.171.202.116]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.83818.1776867779790196596 for ; Wed, 22 Apr 2026 07:23:00 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@bootlin.com header.s=dkim header.b=oh/LsOOS; spf=pass (domain: bootlin.com, ip: 185.171.202.116, mailfrom: antonin.godard@bootlin.com) Received: from smtpout-01.galae.net (smtpout-01.galae.net [212.83.139.233]) by smtpout-04.galae.net (Postfix) with ESMTPS id A89A6C5C3CC for ; Wed, 22 Apr 2026 14:23:38 +0000 (UTC) Received: from mail.galae.net (mail.galae.net [212.83.136.155]) by smtpout-01.galae.net (Postfix) with ESMTPS id D51625FA8F for ; Wed, 22 Apr 2026 14:22:57 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) by localhost (Mailerdaemon) with ESMTPSA id 10C6510460B10; Wed, 22 Apr 2026 16:22:56 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bootlin.com; s=dkim; t=1776867777; h=from:subject:date:message-id:to:cc:mime-version:content-type: content-transfer-encoding:in-reply-to:references; bh=4Wkz3G2yVLXkPYtVbfiyvbhC7FZ+JUyWVPvu0KxGk/w=; b=oh/LsOOS9t10zqqK7AGDavj9ejtBSZUzPBokKkIKys8/GCnCaO611sMZ++DRB7kseXTMp7 gg7B0MiGNZ2HLP5x8gFp9u8bXrvBPpKH22/Wre1ke2EUzR6VSbFTxgbKLAb9x2haGU049e bZD9f+PkV5qfx94q5K/2SobpbsTkJ6o12JnsQQXRAtAOb2IysQWpF1TbNkGxxb9vqeb2Qo Ed8FfGBVCNd/7cFxE5muBnRvYA55JyLIxwkokjPfMHqrlWrVuAcz1Fl88xzcHNQtidaxIm JoPQ4Tsu201tRjuRa6nwJfpg3a0+aEmyQW4JaJZQ0/rDnqNgX9qDxCGlVxnOnw== From: Antonin Godard Date: Wed, 22 Apr 2026 16:22:41 +0200 Subject: [PATCH 08/16] security-manual/vulnerabilities.rst: require Upstream-Status, not recommend MIME-Version: 1.0 Message-Id: <20260422-third-release-notes-6-0-v1-8-06635e8648d1@bootlin.com> References: <20260422-third-release-notes-6-0-v1-0-06635e8648d1@bootlin.com> In-Reply-To: <20260422-third-release-notes-6-0-v1-0-06635e8648d1@bootlin.com> To: docs@lists.yoctoproject.org Cc: Thomas Petazzoni , Antonin Godard X-Mailer: b4 0.16-dev X-Developer-Signature: v=1; a=openpgp-sha256; l=964; i=antonin.godard@bootlin.com; h=from:subject:message-id; bh=9c0go3WS5jRn/aXjXZGiPpKKCmG7k13AcwGT6AEHWMs=; b=owEBbQKS/ZANAwAKAdGAQUApo6g2AcsmYgBp6Nm51mUccyeESA1xqheY6DhTm/iRhhtRgySvA 8scyztn4LKJAjMEAAEKAB0WIQSGSHJRiN1AG7mg0//RgEFAKaOoNgUCaejZuQAKCRDRgEFAKaOo NsBlD/9hvXC0V7LLu7HiOKyDOzsezo6ao4p3EEy35tbrQ+/o/6Yae0TJtSSLVd5a7utl5GqdHAH 6NtUoYnefyxNjg6tTVZF4PqyyBQllgEGLS9+2ODgsU6rAQHfdr5PkyEMtSesAV/94qEbrDLFmGm bWQj4wnJ2kMNVB1ZEACoE+SOdzkpwwYQ/68gZjJ9E2e4rs1GMwBF8hinEwjgEbwobx0kfV7kSG7 kavJtsQmRUXdxGsR3THVUbUdagJ6ikj4jyCbdVuB//yrGnlden1UYyk1LmaDTxsNjwSmiNdKlOS W1Rc97AR2rOtRmdRAEliIrIoa2Uko3ygfxs/TkvmH6S392NGLbCikwfHVx2Tknz0QOpgOZK24Pu Zg7vfg6ADzGJzwcr8iXh3IaoRexPxoWyFHiSHCqHTFd+NP5STb3dpZMsqEk07Rb5yG7/QIGt+c1 A6KAfEHshgOanfQCvhe2hSGMS3cxypoIvZmpr1ySMEsQ79jgSbDifoAZMj8krCcQpXlXFGkfN0x pi76OiQLSGL050aQqD57HtkknNghpnE5m1w/qjV6Hy+1kGK9SIQHIR5pERGaMmKctZ/mIoivEyv 0PBrgXv+FqWTnQ1VIHdGd9I+2rB3Sym0xtHYcFY1bfO3agHznpWXEunfUqb3FGASTKIOnLMyVvx 4IFDJ6Tx0H9Jmew== X-Developer-Key: i=antonin.godard@bootlin.com; a=openpgp; fpr=8648725188DD401BB9A0D3FFD180414029A3A836 X-Last-TLS-Session-Version: TLSv1.3 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 22 Apr 2026 14:23:10 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/docs/message/9317 We want the Upstream-Status in any case, even if the status turns to be something like "oe-specific". So explicitly require it here. Signed-off-by: Antonin Godard --- documentation/security-manual/vulnerabilities.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/documentation/security-manual/vulnerabilities.rst b/documentation/security-manual/vulnerabilities.rst index 983e1548c..6121d4d7d 100644 --- a/documentation/security-manual/vulnerabilities.rst +++ b/documentation/security-manual/vulnerabilities.rst @@ -234,7 +234,7 @@ the format:: CVE: CVE-2022-3341 -It is also recommended to add the ``Upstream-Status:`` tag with a link +It is also required to add the ``Upstream-Status:`` tag with a link to the original patch and sign-off by people working on the backport. If there are any modifications to the original patch, note them in the ``Comments:`` tag. From patchwork Wed Apr 22 14:22:42 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Antonin Godard X-Patchwork-Id: 86660 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id B0710F9EDF5 for ; Wed, 22 Apr 2026 14:23:10 +0000 (UTC) Received: from smtpout-04.galae.net (smtpout-04.galae.net [185.171.202.116]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.83714.1776867780357607372 for ; Wed, 22 Apr 2026 07:23:00 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@bootlin.com header.s=dkim header.b=esHS5Adm; spf=pass (domain: bootlin.com, ip: 185.171.202.116, mailfrom: antonin.godard@bootlin.com) Received: from smtpout-01.galae.net (smtpout-01.galae.net [212.83.139.233]) by smtpout-04.galae.net (Postfix) with ESMTPS id 3CEE8C5C3CD for ; Wed, 22 Apr 2026 14:23:39 +0000 (UTC) Received: from mail.galae.net (mail.galae.net [212.83.136.155]) by smtpout-01.galae.net (Postfix) with ESMTPS id 68B615FA8F for ; Wed, 22 Apr 2026 14:22:58 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) by localhost (Mailerdaemon) with ESMTPSA id B4C70104609BF; Wed, 22 Apr 2026 16:22:57 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bootlin.com; s=dkim; t=1776867778; h=from:subject:date:message-id:to:cc:mime-version:content-type: content-transfer-encoding:in-reply-to:references; bh=1qbwAjqaX2jYYKq5kBpxlxhEJygcY+22c0pjU9rT4jU=; b=esHS5AdmXkVGvAV3XBcWV8opwmS8fRvM7vlI9hozr8K+hQXiTIFK5y5bP3yTm+0Z91g3Z2 DnoTE6mMd1FLuZp8rLmSa39883qWhUB/rqo9LhuUegwKp1ohlVUwYa+MaNwUGdEG1zfFK0 bUpFG39o62s9p/NK+H56lazQ0XCO+zlPrmLB9XE4/8eprHCxiJrYQ0UF7VGUdRrbzfrajQ ZlShGjf65Ivf3Me8ofRTWc70Yobfz+6hyzYbWo9786n5NQp4LFj9qXht8PBbSNm8G4fDZq gbrrJb4KGdLLw9ivYYAxH9iRtNJiBqMkDAeUv7w+EXDQhps2Wk07fncaaxzQxg== From: Antonin Godard Date: Wed, 22 Apr 2026 16:22:42 +0200 Subject: [PATCH 09/16] security-manual/vulnerabilities.rst: refresh the document after cve-check removal MIME-Version: 1.0 Message-Id: <20260422-third-release-notes-6-0-v1-9-06635e8648d1@bootlin.com> References: <20260422-third-release-notes-6-0-v1-0-06635e8648d1@bootlin.com> In-Reply-To: <20260422-third-release-notes-6-0-v1-0-06635e8648d1@bootlin.com> To: docs@lists.yoctoproject.org Cc: Thomas Petazzoni , Antonin Godard X-Mailer: b4 0.16-dev X-Developer-Signature: v=1; a=openpgp-sha256; l=19437; i=antonin.godard@bootlin.com; h=from:subject:message-id; bh=iekRIJzJTK/PLgahojCVLZiuRkEgsBwmb/QDkOSMycQ=; b=owEBbQKS/ZANAwAKAdGAQUApo6g2AcsmYgBp6Nm5kqZKHk3Ty2mNRdCJAeuSYTAB6pcagUwlr KGK5TuJ++2JAjMEAAEKAB0WIQSGSHJRiN1AG7mg0//RgEFAKaOoNgUCaejZuQAKCRDRgEFAKaOo NvIDD/oC6DT4Mx5MaLTEMJQuH4F9etdz3Ax5J87kRroCSYbIZhf8T7+NKm9eYTGoW4WTvIP+I6V +zvFm1lAyoQwQuTebJ/6ulBvHumqcwEkKP43ZydOw33FHJ5fSsWZUfI949jBxGuLWZ9Ma7RFYpo MvQQSyLyM/PFVs7miaQQrYBbZEKUkeGhS4sSfntrL4Nj4WCDBS93htG0DorY7ZxLCb+z7pL9iFO hxBmGy9gnVAiMWIRwZBiKHQvX1jGKHmJ2M+4DQeGKLkoUrCfxYDIMijkO4EQRe+GAn025v268f6 MTbaw+U5EWZa836R8Re4MeoKc3lozbtxOzf5rtx3+nQaRN9BPtAnbYydYrLz0EgjzGyhnc/XAW8 4AiiHc2Bj3UR3u8+AMgp6Dr8OuIG3/XG4YbOHDRCEaZlyN+EsFToeATK2hGaaN2LWB3pogtZbJW C0zxPvc8C3a+OhkUE4CsnI7rMZTeKwIcjLS+L6RFsKITUu4sqz5oJ/igF3rNLE9cfyKfAdeYfq8 Y0Hf0+w+yRJGz7cOwitjcY2wPsy2LF8QvH3IUUdFQI2Nzj5J4d+6kLsRJdUoTSkOX7X1GPrNsJ9 ZkENBwvgHkDpAnfWAD9Gp+xmj1VvWRRse8xaZfl3WS0sdCbeoc/igVLe+J+rHG3eFVcNow7o3n/ rHL6jSA79zhJhWQ== X-Developer-Key: i=antonin.godard@bootlin.com; a=openpgp; fpr=8648725188DD401BB9A0D3FFD180414029A3A836 X-Last-TLS-Session-Version: TLSv1.3 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 22 Apr 2026 14:23:10 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/docs/message/9318 The cve-check class was removed with 00de455f8d3a ("classes/cve-check: remove class") in OE-Core. The sbom-cve-check class replaces it. And while it can generate the same report (with the same format), the vulnerabilities document needed an update to reflect the changes. Notable differences: - The output report has a different name (but same format) - There is also an enriched SPDX report containing the vulnerabilities. We do not go in details about this one as this is tied to the SPDX specification, and much more complicated. - The sbom-cve-check does not produce warnings when Unpatched CVEs are found. - The implementation details is removed as this is part of the sbom-cve-check documentation (add a link to it instead). Signed-off-by: Antonin Godard --- documentation/security-manual/vulnerabilities.rst | 218 ++++++++++------------ 1 file changed, 96 insertions(+), 122 deletions(-) diff --git a/documentation/security-manual/vulnerabilities.rst b/documentation/security-manual/vulnerabilities.rst index 6121d4d7d..f776edd08 100644 --- a/documentation/security-manual/vulnerabilities.rst +++ b/documentation/security-manual/vulnerabilities.rst @@ -27,125 +27,130 @@ patches to fix them, see ":doc:`/contributor-guide/submit-changes`" for details. Vulnerability check at build time ================================= -To enable a check for CVE security vulnerabilities using -``cve-check`` in the specific image or target you are building, -add the following setting to your configuration:: +To enable a check for CVE security vulnerabilities in the specific image or +target you are building, run the following command from your :term:`Build +Directory`: - INHERIT += "cve-check" +.. code-block:: console -The CVE database contains some old incomplete entries which have been -deemed not to impact :term:`OpenEmbedded-Core (OE-Core)`. These CVE entries can be excluded from the -check using build configuration:: + $ bitbake-config-build enable-fragment core/yocto/sbom-cve-check + +Or add the following statement to a :term:`configuration file`:: + + OE_FRAGMENTS += "core/yocto/sbom-cve-check" + +This will enable the :ref:`ref-classes-sbom-cve-check` class and set the +recommended settings to use it. + +The CVE database contains some old incomplete entries which have been deemed not +to impact :term:`OpenEmbedded-Core (OE-Core)`. These CVE entries can be excluded +from the check by adding the following statement:: include conf/distro/include/cve-extra-exclusions.inc -With this CVE check enabled, BitBake build will try to map each compiled software component -recipe name and version information to the CVE database and generate recipe and -image specific reports. These reports will contain: +With the :ref:`ref-fragments-core-yocto-sbom-cve-check` fragment enabled, the +:term:`BitBake` build of an image will try to map each compiled software +component recipe name and version information to the CVE database and generate +reports in the deployment directory (:term:`DEPLOY_DIR_IMAGE`), one of which +being: ``tmp/deploy/images//-.rootfs.sbom-cve-check.yocto.json``, +a report containing: -- metadata about the software component like names and versions + - Metadata about the software component like names and versions + - Metadata about the CVE issue such as description and NVD link + - For each software component, a list of CVEs which are possibly impacting this version + - Status of each CVE: ``Patched``, ``Unpatched`` or ``Ignored`` -- metadata about the CVE issue such as description and NVD link +.. note:: -- for each software component, a list of CVEs which are possibly impacting this version + Another report named ``-.rootfs.sbom-cve-check.spdx.json`` + is also generated: this is the enriched :term:`SPDX` file of the image + containing the same information contained in the previous point, and a lot + more metadata information on the packages included in the image. For more + information on :term:`SPDX`, see the :doc:`/dev-manual/sbom` section of the + Yocto Project Development Tasks Manual. -- status of each CVE: ``Patched``, ``Unpatched`` or ``Ignored`` +Each item in the ``"package"`` list corresponds to a package installed on the +built image. Each of these packages contain a number of CVE entries under the +``"issue"`` sub-list. These CVE can have the following statuses: -The status ``Patched`` means that a patch file to address the security issue has been -applied. ``Unpatched`` status means that no patches to address the issue have been -applied and that the issue needs to be investigated. ``Ignored`` means that after -analysis, it has been deemed to ignore the issue as it for example affects -the software component on a different operating system platform. +- ``Patched`` means that a patch file to address the security issue + has been applied. -By default, no NVD API key is used to retrieve data from the CVE database, which -results in larger delays between NVD API requests. See the ``NVDCVE_API_KEY`` -documentation on how to request and set a NVD API key. +- ``Unpatched`` means that no patches to address the issue have been + applied and that the issue needs to be investigated. -After a build with CVE check enabled, reports for each compiled source recipe will be -found in ``build/tmp/deploy/cve``. +- ``Ignored`` means that after analysis, it has been deemed to ignore the issue + as it for example affects the software component on a different operating + system platform. -For example the CVE check report for the ``flex-native`` recipe looks like:: +For example, the report for the ``glibc`` package looks like this (simplified): + +.. code-block:: json - $ cat ./tmp/deploy/cve/flex-native_cve.json { "version": "1", "package": [ { - "name": "flex-native", - "layer": "meta", - "version": "2.6.4", + "name": "glibc", + "layer": "core", + "version": "2.43+git", "products": [ { - "product": "flex", - "cvesInRecord": "No" - }, - { - "product": "flex", + "product": "glibc", "cvesInRecord": "Yes" } ], "issue": [ { - "id": "CVE-2006-0459", - "status": "Patched", - "link": "https://nvd.nist.gov/vuln/detail/CVE-2006-0459", - "summary": "flex.skl in Will Estes and John Millaway Fast Lexical Analyzer Generator (flex) before 2.5.33 does not allocate enough memory for grammars containing (1) REJECT statements or (2) trailing context rules, which causes flex to generate code that contains a buffer overflow that might allow context-dependent attackers to execute arbitrary code.", - "scorev2": "7.5", + "id": "CVE-2010-4756", + "status": "Unpatched", + "link": "https://nvd.nist.gov/vuln/detail/CVE-2010-4756", + "summary": "The glob implementation in the GNU C Library (aka glibc or libc6) allows remote authenticated users to cause a denial of service (CPU and memory consumption) via crafted glob expressions that do not match any pathnames, as demonstrated by glob expressions in STAT commands to an FTP daemon, a different vulnerability than CVE-2010-2632.", + "scorev2": "4.0", "scorev3": "0.0", "scorev4": "0.0", - "modified": "2024-11-21T00:06Z", + "modified": "2025-11-03T22:15:41.000", "vector": "NETWORK", - "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", - "detail": "version-not-in-range" + "vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P", + "detail": "no-version-ranges", + "description": "Check package version" }, { - "id": "CVE-2016-6354", + "id": "CVE-2018-6551", "status": "Patched", - "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-6354", - "summary": "Heap-based buffer overflow in the yy_get_next_buffer function in Flex before 2.6.1 might allow context-dependent attackers to cause a denial of service or possibly execute arbitrary code via vectors involving num_to_read.", + "link": "https://nvd.nist.gov/vuln/detail/CVE-2018-6551", + "summary": "The malloc implementation in the GNU C Library (aka glibc or libc6), from version 2.24 to 2.26 on powerpc, and only in version 2.26 on i386, did not properly handle malloc calls with arguments close to SIZE_MAX and could return a pointer to a heap region that is smaller than requested, eventually leading to heap corruption.", "scorev2": "7.5", "scorev3": "9.8", "scorev4": "0.0", - "modified": "2024-11-21T02:55Z", + "modified": "2024-11-21T04:10:53.000", "vector": "NETWORK", - "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", + "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "detail": "version-not-in-range" }, { - "id": "CVE-2019-6293", + "id": "CVE-2019-1010022", "status": "Ignored", - "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-6293", - "summary": "An issue was discovered in the function mark_beginning_as_normal in nfa.c in flex 2.6.4. There is a stack exhaustion problem caused by the mark_beginning_as_normal function making recursive calls to itself in certain scenarios involving lots of '*' characters. Remote attackers could leverage this vulnerability to cause a denial-of-service.", - "scorev2": "4.3", - "scorev3": "5.5", + "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-1010022", + "summary": "GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass stack guard protection. The component is: nptl. The attack vector is: Exploit stack buffer overflow vulnerability and use this bypass vulnerability to bypass stack guard. NOTE: Upstream comments indicate \"this is being treated as a non-security bug and no real threat.", + "scorev2": "7.5", + "scorev3": "9.8", "scorev4": "0.0", - "modified": "2024-11-21T04:46Z", + "modified": "2024-11-21T04:17:55.000", "vector": "NETWORK", - "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P", - "detail": "upstream-wontfix", - "description": "there is stack exhaustion but no bug and it is building the parser, not running it, effectively similar to a compiler ICE. Upstream no plans to address this." + "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "description": "Upstream glibc maintainers dispute there is any issue and have no plans to address it further. this is being treated as a non-security bug and no real threat." } - ] + ], + "cpes": ["cpe:2.3:*:*:glibc:2.43:*:*:*:*:*:*:*"] } ] } -For images, a summary of all recipes included in the image and their CVEs is also -generated in the JSON format. These ``.json`` reports can be found -in the ``tmp/deploy/images`` directory for each compiled image. - -At build time CVE check will also throw warnings about ``Unpatched`` CVEs:: - - WARNING: qemu-native-9.2.0-r0 do_cve_check: Found unpatched CVE (CVE-2023-1386) - -It is also possible to check the CVE status of individual packages as follows:: - - bitbake -c cve_check flex libarchive - Fixing CVE product name and version mappings ============================================ -By default, ``cve-check`` uses the recipe name :term:`BPN` as CVE +By default, :ref:`ref-classes-sbom-cve-check` uses the recipe name :term:`BPN` as CVE product name when querying the CVE database. If this mapping contains false positives, e.g. some reported CVEs are not for the software component in question, or false negatives like some CVEs are not found to impact the recipe when they should, then the problems can be @@ -175,7 +180,7 @@ Fixing vulnerabilities in recipes Suppose a CVE security issue impacts a software component. In that case, it can be fixed by updating to a newer version, by applying a patch, or by marking it -as patched via :term:`CVE_STATUS` variable flag. For OE-Core master +as patched via :term:`CVE_STATUS` variable flag. For :term:`OpenEmbedded-Core (OE-Core)` master branches, updating to a more recent software component release with fixes is the best option, but patches can be applied if releases are not yet available. @@ -228,7 +233,7 @@ is:: 1 file changed, 12 insertions(+), 4 deletions(-) -For the correct operations of the ``cve-check``, it requires the CVE +For the correct operations of :ref:`ref-classes-sbom-cve-check`, it requires the CVE identification in a ``CVE:`` tag of the patch file commit message using the format:: @@ -265,8 +270,8 @@ With the additional information, the header of the patch file in OE-core becomes A good practice is to include the CVE identifier in the patch file name, the patch file commit message and optionally in the recipe commit message. -CVE checker will then capture this information and change the CVE status to ``Patched`` -in the generated reports. +:ref:`ref-classes-sbom-cve-check` will then capture this information and change the CVE +status to ``Patched`` in the generated reports. If analysis shows that the CVE issue does not impact the recipe due to configuration, platform, version or other reasons, the CVE can be marked as ``Ignored`` by using @@ -282,44 +287,6 @@ to fix those issues in the CVE database (NVD in the case of Note that if there are many CVEs with the same status and reason, those can be shared by using the :term:`CVE_STATUS_GROUPS` variable. -Recipes can be completely skipped by CVE check by including the recipe name in -the :term:`CVE_CHECK_SKIP_RECIPE` variable. - -Implementation details -====================== - -Here's what the ``cve-check`` class does to find unpatched CVE IDs. - -First the code goes through each patch file provided by a recipe. If a valid CVE ID -is found in the name of the file, the corresponding CVE is considered as patched. -Don't forget that if multiple CVE IDs are found in the filename, only the last -one is considered. Then, the code looks for ``CVE: CVE-ID`` lines in the patch -file. The found CVE IDs are also considered as patched. -Additionally ``CVE_STATUS`` variable flags are parsed for reasons mapped to ``Patched`` -and these are also considered as patched. - -Then, the code looks up all the CVE IDs in the NIST database for all the -products defined in :term:`CVE_PRODUCT`. Then, for each found CVE: - -- If the package name (:term:`PN`) is part of - :term:`CVE_CHECK_SKIP_RECIPE`, it is considered as ``Patched``. - -- If the CVE ID has status ``CVE_STATUS[] = "ignored"`` or if it's set to - any reason which is mapped to status ``Ignored`` via ``CVE_CHECK_STATUSMAP``, - it is set as ``Ignored``. - -- If the CVE ID is part of the patched CVE for the recipe, it is - already considered as ``Patched``. - -- Otherwise, the code checks whether the recipe version (:term:`PV`) - is within the range of versions impacted by the CVE. If so, the CVE - is considered as ``Unpatched``. - -The CVE database is stored in :term:`DL_DIR` and can be inspected using -``sqlite3`` command as follows:: - - sqlite3 downloads/CVE_CHECK2/nvd*.db .dump | grep CVE-2021-37462 - When analyzing CVEs, it is recommended to: - study the latest information in `CVE database `__. @@ -335,6 +302,12 @@ When analyzing CVEs, it is recommended to: - follow public `open source security mailing lists `__ for discussions and advance notifications of CVE bugs and software releases with fixes. +Implementation details +====================== + +As :ref:`ref-classes-sbom-cve-check` is an external tool, its implementation is detailed on +the official documentation: https://sbom-cve-check.readthedocs.io/en/latest/index.html + Linux kernel vulnerabilities ============================ @@ -396,15 +369,16 @@ Then the CVE information will automatically be added in the The ``openembedded-core/scripts/contrib/improve_kernel_cve_report.py`` script leverages CVE kernel metadata and the :term:`SPDX_INCLUDE_COMPILED_SOURCES` -variable to update a ``cve-summary.json`` file. It reduces CVE false -positives by 70%-80% and provide detailed responses for all kernel-related -CVEs by analyzing the files used to build the kernel. The script is decoupled from -the build and can be run outside of the :term:`BitBake` environment. +variable to update an output ``.sbom-cve-check.yocto.json`` report file (see +section :ref:`security-manual/vulnerabilities:Vulnerability check at build time` +for details on these report files). It reduces CVE false positives by 70%-80% +and provide detailed responses for all kernel-related CVEs by analyzing the +files used to build the kernel. The script is decoupled from the build and +can be run outside of the :term:`BitBake` environment. -The script uses the output from the :ref:`ref-classes-vex` or -``cve-check`` class as input, together with CVE information from -the Linux kernel CNA to enrich the ``cve-summary.json`` file with updated CVE -information. +The script uses the output from the :ref:`ref-classes-vex` as input, together +with CVE information from the Linux kernel CNA to enrich the +report file with updated CVE information. The file name can be specified as argument. Optionally, it can also use the list of compiled files from the kernel :term:`SPDX` to ignore CVEs that are @@ -465,7 +439,7 @@ the first two examples, using the old cve-summary.json. $ python3 openembedded-core/scripts/contrib/improve_kernel_cve_report.py \ --spdx tmp/deploy/spdx/3.0.1/qemux86_64/recipes/recipe-linux-yocto.spdx.json \ --datadir ~/vulns \ - --old-cve-report build/tmp/log/cve/cve-summary.json + --old-cve-report build/tmp/deploy/images//-.rootfs.sbom-cve-check.yocto.json - Example using ``--debug-sources`` file instead of SPDX kernel file: @@ -474,7 +448,7 @@ the first two examples, using the old cve-summary.json. $ python3 openembedded-core/scripts/contrib/improve_kernel_cve_report.py \ --debug-sources tmp/pkgdata/qemux86_64/debugsources/linux-yocto-debugsources.json.zstd \ --datadir ~/vulns \ - --old-cve-report build/tmp/log/cve/cve-summary.json + --old-cve-report build/tmp/deploy/images//-.rootfs.sbom-cve-check.yocto.json - Example using the ``--kernel-version``: From patchwork Wed Apr 22 14:22:43 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Antonin Godard X-Patchwork-Id: 86651 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 169E3F9EDDC for ; Wed, 22 Apr 2026 14:23:10 +0000 (UTC) Received: from smtpout-04.galae.net (smtpout-04.galae.net [185.171.202.116]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.83715.1776867781052106931 for ; Wed, 22 Apr 2026 07:23:01 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@bootlin.com header.s=dkim header.b=hNQJ2dLH; spf=pass (domain: bootlin.com, ip: 185.171.202.116, mailfrom: antonin.godard@bootlin.com) Received: from smtpout-01.galae.net (smtpout-01.galae.net [212.83.139.233]) by smtpout-04.galae.net (Postfix) with ESMTPS id E90C2C5C3CF for ; Wed, 22 Apr 2026 14:23:39 +0000 (UTC) Received: from mail.galae.net (mail.galae.net [212.83.136.155]) by smtpout-01.galae.net (Postfix) with ESMTPS id 218795FA8F for ; Wed, 22 Apr 2026 14:22:59 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) by localhost (Mailerdaemon) with ESMTPSA id 4DC42104609C6; Wed, 22 Apr 2026 16:22:58 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bootlin.com; s=dkim; t=1776867778; h=from:subject:date:message-id:to:cc:mime-version:content-type: content-transfer-encoding:in-reply-to:references; bh=pWvgHt6iAl3J3Z3YyyM7GNYCUm0MjWYBlRmXzzOQ+Yc=; b=hNQJ2dLHuPR7Go5QmuCsS2UZb2lPx4owvhWWBnDZo4rxwESeUHN71f7oMwUEuYgd3xAmV/ 1hSyl28LzK1CPoIh+7CJ/kQGG5BIxiPUlMzPNTqaST/Mwx8g5GB8uO4MYvpJS3HgXtaAJu uoqgoljCz+fDwu1svRMmb1mUnoNmMzFxm6r8t60IbQuWpxRjVP84NjJewD/zylERKDrP6+ 9dhXG3an0eXB7mN0GeTFIIlxlP+71GMOv2uxNm5nyvgyi8PgotkZm68Qzrts7x0PxiFbid oqjlDAi18Lo8o4wLTjhv+Dx6wdNmMA5yzPz9yAG6ILUUULFwk013uyBs48amdA== From: Antonin Godard Date: Wed, 22 Apr 2026 16:22:43 +0200 Subject: [PATCH 10/16] migration-guides/migration-6.0.rst: add migration notes on cve-check removal MIME-Version: 1.0 Message-Id: <20260422-third-release-notes-6-0-v1-10-06635e8648d1@bootlin.com> References: <20260422-third-release-notes-6-0-v1-0-06635e8648d1@bootlin.com> In-Reply-To: <20260422-third-release-notes-6-0-v1-0-06635e8648d1@bootlin.com> To: docs@lists.yoctoproject.org Cc: Thomas Petazzoni , Antonin Godard X-Mailer: b4 0.16-dev X-Developer-Signature: v=1; a=openpgp-sha256; l=5204; i=antonin.godard@bootlin.com; h=from:subject:message-id; bh=3wqSJR3lbo1UUD7IGCMeROZb8FwaYchA+lBV8mNYL7k=; b=owEBbQKS/ZANAwAKAdGAQUApo6g2AcsmYgBp6Nm5XVgD4rj5IxbN3Vt+CUgEX5rDRWKHVxnu0 aEhVZ6MdyCJAjMEAAEKAB0WIQSGSHJRiN1AG7mg0//RgEFAKaOoNgUCaejZuQAKCRDRgEFAKaOo NpY0EADJhHuf0LyiWudCdk/U2gWVLjVW+ZikAfXXA4Cz/dkawIcTh8Eee1ctBOpDh+/ZACGHunG hxAltvMbm/xIx3I4FcJG1EvSvS+/j79l+ostClZuARH0x64ExLjgJS949MMq4Skl4qF/mAWiKd0 5evlVIz6y8mFYGkX4o0Kni5aPpJAyuFP1QQd1fzMB0yjri/pEMBBvCbPsBVXad7W5uU6YXBjsn4 uwbUoLZdgbVKjdcUf+lnkfq9Cgh+25NgHEYfQVz9MA57eOBPpBj9xvCO22YrJufcloFDhzNIPIl m/HcE1+/Fx+7URTO725PWU/oEjWC4hGhqP1J758hmktkDIomdztpvfmqMREaZqWhU+Q3uN69Tbn F6CZvm+IFrPvOUGdrAfKB0Lp4Kiv/JQE+6cwllgmGCY4V5MTKq+RQFWOmSnHAaB+PuJPQrFs7HT 6sxLBScZhqbZq/XUXbp6CS8VnkvkRZiQYarsGWS28+bg+7b+KaQF7h2ot+PuiXqEGuDeuHLYW7p YzfEbNczXdhNwW2XqltPatDRcHpuxswbCDJ2XfWaTbkVjao4quKQ2M8uvoGnMQOZsgb0+QeaSbw ebiXreyMrG0gHKOoYqyWtYxqXxrnZI9sKi693j8OdIDUW3uskDVXqlHaPZAp09GxynhfIhDcdyv V470JGXuY/9PMlA== X-Developer-Key: i=antonin.godard@bootlin.com; a=openpgp; fpr=8648725188DD401BB9A0D3FFD180414029A3A836 X-Last-TLS-Session-Version: TLSv1.3 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 22 Apr 2026 14:23:10 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/docs/message/9319 The cve-check class was removed with 00de455f8d3a ("classes/cve-check: remove class") in OE-Core. Add migration notes to migrate from cve-check to sbom-cve-check. Signed-off-by: Antonin Godard --- documentation/migration-guides/migration-6.0.rst | 74 ++++++++++++++++++++++ .../migration-guides/release-notes-6.0.rst | 3 - 2 files changed, 74 insertions(+), 3 deletions(-) diff --git a/documentation/migration-guides/migration-6.0.rst b/documentation/migration-guides/migration-6.0.rst index d763062da..731f2b990 100644 --- a/documentation/migration-guides/migration-6.0.rst +++ b/documentation/migration-guides/migration-6.0.rst @@ -291,6 +291,76 @@ information. Users are advised to transition to SDPX 3.0, which is provided by the :ref:`ref-classes-create-spdx` class. +``cve-check`` class removed +--------------------------- + +The ``cve-check`` class was removed and replaced by the +:ref:`ref-classes-sbom-cve-check` class. Quoting the commit removing the class +(:oecore_rev:`00de455f8d3aeca880129d23e8cfb7e246404699`): + +.. code-block:: text + + It's been long known that the cve-check class in oe-core is not that + usable in the real world, for more details see "Future of CVE scanning + in Yocto"[1]. This mail proposed an alternative direction that included + a CVE scanning tool that can be ran both during the build and afterwards, + so that periodic scans of a previously build image is possible. + + Last year, Bootlin wrote sbom-cve-check[2] and I compared this to my + proposal in "Comparing cve-check with sbom-cve-check"[3], concluding + that this is likely the missing piece. + + Support for sbom-cve-check has been merged into oe-core, and the + cve-check class is now obsolete. So that we don't have to maintain it for + the four-year lifecycle of the Wrynose release, delete it. + + This patch also deletes the database fetcher recipes, and the test cases + that were specific to cve-check. Note that the oe.cve_check library + still exists as this is used by the SPDX classes. + + [1] https://lore.kernel.org/openembedded-core/7D6E419E-A7AE-4324-966C-3552C586E452@arm.com/ + [2] https://github.com/bootlin/sbom-cve-check + [3] https://lore.kernel.org/openembedded-core/2CD10DD9-FB2A-4B10-B98A-85918EB6B4B7@arm.com/ + +Users currently using the ``cve-check`` class are advised to switch to +:ref:`ref-classes-sbom-cve-check`: + +- The following assignment:: + + INHERIT += "cve-check" + + Should be removed and replaced by:: + + OE_FRAGMENTS += "core/yocto/sbom-cve-check" + + This will enable the :ref:`ref-classes-sbom-cve-check` class along with the recommended + settings. + + This will deploy two files to the deployment directory + (:term:`DEPLOY_DIR_IMAGE`) after building an image: + + - A file ending with ``.sbom-cve-check.yocto.json``: this is the output JSON + report in the same format as the one deployed by the ``cve-check`` class. + + - A file ending with ``.sbom-cve-check.spdx.json``: this is an output SPDX + report annonated with vulnerable CVEs. + +- The ``cve-check`` class output summary file (deployed in the + :term:`DEPLOY_DIR_IMAGE`) ending with ``.cve.txt`` is no longer + deployed by default but can be added back by adding the following statement + to a configuration file:: + + SBOM_CVE_CHECK_EXPORT_VARS:append = " SBOM_CVE_CHECK_EXPORT_SUMMARY" + + This will deploy a new file ending with ``.cve.txt``, which uses the same + format as the summary previously deployed by the ``cve-check`` class. + + See the documentation of :term:`SBOM_CVE_CHECK_EXPORT_VARS` for more + details. + +See the :doc:`/security-manual/vulnerabilities` section of the Yocto Project +Security Manual for more information. + :term:`CVE_PRODUCT` character escaping change --------------------------------------------- @@ -410,6 +480,10 @@ The following recipes have been removed in this release: (OE-Core)` and Python 3.14 now has built-in support for zstd (:oecore_rev:`55061de857657ea01babc5652caa062e8d292c44`) +- ``cve-update-db-native``, ``cve-update-nvd2-native``: removed with the + ``cve-check`` class removal as it was the only user of these recipes. + (:oecore_rev:`00de455f8d3aeca880129d23e8cfb7e246404699`) + Removed :term:`PACKAGECONFIG` options ------------------------------------- diff --git a/documentation/migration-guides/release-notes-6.0.rst b/documentation/migration-guides/release-notes-6.0.rst index 31d4cdfce..9d611d70a 100644 --- a/documentation/migration-guides/release-notes-6.0.rst +++ b/documentation/migration-guides/release-notes-6.0.rst @@ -574,9 +574,6 @@ New Features / Enhancements in |yocto-ver| - :ref:`ref-classes-sbom-cve-check`-related changes: - - ``cve-update-nvd2-native``: Use maximum CVSS score when extracting it from - multiple sources (:oecore_rev:`4f6192f3165de0bc2499e045607c7e7ffd878a4b`) - - Escape special characters in CPE 2.3 strings (:oecore_rev:`9dd9c0038907340ba08ff4c8ee06a8748c1ac00a`) From patchwork Wed Apr 22 14:22:44 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Antonin Godard X-Patchwork-Id: 86653 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4964BF9EDE8 for ; Wed, 22 Apr 2026 14:23:10 +0000 (UTC) Received: from smtpout-04.galae.net (smtpout-04.galae.net [185.171.202.116]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.83820.1776867782656109172 for ; Wed, 22 Apr 2026 07:23:03 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@bootlin.com header.s=dkim header.b=vFk9hbkq; spf=pass (domain: bootlin.com, ip: 185.171.202.116, mailfrom: antonin.godard@bootlin.com) Received: from smtpout-01.galae.net (smtpout-01.galae.net [212.83.139.233]) by smtpout-04.galae.net (Postfix) with ESMTPS id EB7F8C5C3C8 for ; Wed, 22 Apr 2026 14:23:40 +0000 (UTC) Received: from mail.galae.net (mail.galae.net [212.83.136.155]) by smtpout-01.galae.net (Postfix) with ESMTPS id 235605FA8F for ; Wed, 22 Apr 2026 14:23:00 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) by localhost (Mailerdaemon) with ESMTPSA id 0399010460BA8; Wed, 22 Apr 2026 16:22:58 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bootlin.com; s=dkim; t=1776867779; h=from:subject:date:message-id:to:cc:mime-version:content-type: content-transfer-encoding:in-reply-to:references; bh=TMc9a8dtefNnWVBsijJCtM5fo5zbkPR7PLN9CdXhzzA=; b=vFk9hbkqoSTI9l2725jIEmviKF/68wMkEPO6D54b5mYaKUt4OpSNQDlzdcV7zES7XREBt0 6w6uogO40KJ+OaZZWfZ4p50DjdVv07OU9BH6g9k0G+xXfoxDLGdnHYW1ujwoC1z5sF2QPP jP7l9dqgXKQ73fwoyIo/XKqXrXnzGNnDjNz/3rl+3zv8TvFu0Lmr38+g3Sve6xYOJ8ucS/ gOqAZcLEZsSfsnZXoiNSrAYMPhKwZqzIGqGV0yOsaStPQVu6xysu9oBcy60N8wPldluIID 4mzSGM/wE+rqM+xasf7b1H82QWDcoscFr7K0sidw+ZiyzG39phi4RNAhGs646w== From: Antonin Godard Date: Wed, 22 Apr 2026 16:22:44 +0200 Subject: [PATCH 11/16] migration-guides/release-notes-6.0.rst: cover recent changes MIME-Version: 1.0 Message-Id: <20260422-third-release-notes-6-0-v1-11-06635e8648d1@bootlin.com> References: <20260422-third-release-notes-6-0-v1-0-06635e8648d1@bootlin.com> In-Reply-To: <20260422-third-release-notes-6-0-v1-0-06635e8648d1@bootlin.com> To: docs@lists.yoctoproject.org Cc: Thomas Petazzoni , Antonin Godard X-Mailer: b4 0.16-dev X-Developer-Signature: v=1; a=openpgp-sha256; l=4017; i=antonin.godard@bootlin.com; h=from:subject:message-id; bh=oo4k6sFB1MI0qJdW2vXqypuvgGYUxz5SzC8BYHrXlmo=; b=owEBbQKS/ZANAwAKAdGAQUApo6g2AcsmYgBp6Nm5+paPKd4ABRX045DplopmUW1UekTWLyf17 QCnc2Mlco2JAjMEAAEKAB0WIQSGSHJRiN1AG7mg0//RgEFAKaOoNgUCaejZuQAKCRDRgEFAKaOo NmRmD/wOwtnYCEXI2W2A0dEwZp1knT2mzb0NUdXh/ME6b6PLocIZNBihvozPhDp8KLZ8VHiEK6Y zIddCckPRVUpUJYhQfoBd4n1sA42VESMuoAm5ugtMx9JAXxrv4FYuRFVhdy0phOBMt3kLr4sL6K RQbDxQC3W1yfjkoTXNEqwQABV7yvuIKPZ3aLxP9qxsDztZksaaA358UqARwAhRqElnn8cw+gIoY x8v57gTCo3T3pm/34xCIrdexO/onulYQCBKasf38Y715R2CkWM271h12VHpj/TXATPLkpqxdHqR fDVnc5Z8hWyKOgzXey7M1V1CBvEdG5vorpc1I2NP/ygkekYcdBBsYuL1qQLAJuOdbnrxAzzWxts GaEQZ0HwNOgdPk1bcc7mO652g61MoiYWB/tjnURUNr1xr/qIYOUyaYkcoLAmnN92T5y/ylQk1CS EXHErrH5wF7q8H3XzwH4x1MLJzObSR6Oci/KoKg7sbLbsaNBllGKfxQIdbr2wfaOm9AwYYu45fz BscpRqBerzfDluRBZ1ziYVRL58z7wBF8EgG0AeQ13Gst0eK8uy9Z82HTrb2jp+j4u4I62/VW5ES K3XmIgX0ICL+g2eBKyPU9Tw/hUCqCBx2GbtV7u3obqFwl1dOwSU06DUHGxwn57QrMldITM2vXoQ b/AYvQoOzKj5Xgg== X-Developer-Key: i=antonin.godard@bootlin.com; a=openpgp; fpr=8648725188DD401BB9A0D3FFD180414029A3A836 X-Last-TLS-Session-Version: TLSv1.3 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 22 Apr 2026 14:23:10 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/docs/message/9321 Cover changes between 00de455f8d3a ("classes/cve-check: remove class") and 9a83f0878b6b ("busybox: fix for CVE-2026-26157, CVE-2026-26158") in OE-Core. There were no changes to BitBake and meta-yocto since the last update of these release notes. Signed-off-by: Antonin Godard --- documentation/migration-guides/release-notes-6.0.rst | 19 ++++++++++++------- 1 file changed, 12 insertions(+), 7 deletions(-) diff --git a/documentation/migration-guides/release-notes-6.0.rst b/documentation/migration-guides/release-notes-6.0.rst index 9d611d70a..c8b2c94cd 100644 --- a/documentation/migration-guides/release-notes-6.0.rst +++ b/documentation/migration-guides/release-notes-6.0.rst @@ -237,8 +237,6 @@ New Features / Enhancements in |yocto-ver| in the default distro setup (appearing as ``nodistro`` :term:`DISTRO`) (:oecore_rev:`175fcf9fad699dd122680d3f6961af9bf8487046`) -- Architecture-specific changes: - - QEMU / ``runqemu`` changes: - ``qemuboot```: Make the tap interface nameserver configurable through @@ -289,6 +287,9 @@ New Features / Enhancements in |yocto-ver| - Enable dynamic LLVM linking by default (:oecore_rev:`d0671c3dad87a063b3a41dd07cde89b5684e692c`) + - Enable fully static linking when :term:`TCLIBC` is set to ``musl`` + (:oecore_rev:`75409c60e9e63fdcbb9d4f54130052991362ec08`) + - Wic Image Creator changes: - ``wic/engine``: Fix copying directories into wic image with ``ext*`` @@ -297,8 +298,6 @@ New Features / Enhancements in |yocto-ver| - Re-implement sector-size support (:oecore_rev:`b50d6debf7baa555fbfb3521c4f952675bba2d37`) -- SDK-related changes: - - Testing-related changes: - :ref:`ref-classes-ptest` support was added for the following recipes: @@ -374,6 +373,9 @@ New Features / Enhancements in |yocto-ver| - Update data if CVE exists (:oecore_rev:`9ea6d9209b95f8d31975d71315fb52343e6aa729`) - Validate that cve details field exists (:oecore_rev:`80ff4903ea1b839f9cd9393b314c3adfbb80b765`) + - ``oe-pkgdata-util``: improve the ``lookup-pkg`` error message for + :term:`RPROVIDES` packages + (:oecore_rev:`46ff3a8d2c18fcba87c711bb23dbdabae20eef84`) - BitBake changes: @@ -463,8 +465,6 @@ New Features / Enhancements in |yocto-ver| configuration options when fetching Git repositories (:bitbake_rev:`4c378445969853d6aff4694d937b9af47c7f7300`) -- Packaging changes: - - Clang/LLVM related changes: - ``compiler-rt``: @@ -517,7 +517,6 @@ New Features / Enhancements in |yocto-ver| :term:`SPDX_INCLUDE_VEX` variable (:oecore_rev:`d999ac407c86b462134008818d5863ecb577f3c6`) - - ``devtool`` changes: - ``ide-sdk``: @@ -580,6 +579,7 @@ New Features / Enhancements in |yocto-ver| - New :term:`PACKAGECONFIG` options for individual recipes: - ``curl``: ``schannel`` + - ``gstreamer1.0-plugins-bad``: ``fdkaac`` - ``gstreamer1.0-plugins-good``: ``qt6`` - ``libinput``: ``lua``, ``libwacom``, ``mtdev`` - ``librepo``: ``sequoia`` @@ -590,6 +590,7 @@ New Features / Enhancements in |yocto-ver| - ``python3``: ``freethreading`` (experimental, see :oecore_rev:`c56990178b31b893fbf695eaf6b67de501e9d2e9`) - ``python3-cryptography``: ``legacy-openssl`` + - ``systemtap``: ``readline`` - systemd related changes: @@ -733,6 +734,10 @@ New Features / Enhancements in |yocto-ver| - :ref:`ref-classes-archiver`: Don't try to preserve all attributes when copying files (:oecore_rev:`6e8313688fa994c82e4c846993ed8da0d1f4db0e`) + - :ref:`ref-classes-useradd`: allow inheriting the class with only + :term:`USERADD_DEPENDS` set, when a recipe only depends on users/groups + created by another (:oecore_rev:`09a901b9874f76e665fb4ba9e537703a792011e3`) + Known Issues in |yocto-ver| --------------------------- From patchwork Wed Apr 22 14:22:45 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Antonin Godard X-Patchwork-Id: 86654 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3CBB3F9EDE7 for ; Wed, 22 Apr 2026 14:23:10 +0000 (UTC) Received: from smtpout-04.galae.net (smtpout-04.galae.net [185.171.202.116]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.83717.1776867782830688669 for ; Wed, 22 Apr 2026 07:23:03 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@bootlin.com header.s=dkim header.b=rDhr2HTg; spf=pass (domain: bootlin.com, ip: 185.171.202.116, mailfrom: antonin.godard@bootlin.com) Received: from smtpout-01.galae.net (smtpout-01.galae.net [212.83.139.233]) by smtpout-04.galae.net (Postfix) with ESMTPS id B4F0FC5C3CC for ; Wed, 22 Apr 2026 14:23:41 +0000 (UTC) Received: from mail.galae.net (mail.galae.net [212.83.136.155]) by smtpout-01.galae.net (Postfix) with ESMTPS id E0EEE5FA8F for ; Wed, 22 Apr 2026 14:23:00 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) by localhost (Mailerdaemon) with ESMTPSA id 07A44104609BF; Wed, 22 Apr 2026 16:22:59 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bootlin.com; s=dkim; t=1776867780; h=from:subject:date:message-id:to:cc:mime-version:content-type: content-transfer-encoding:in-reply-to:references; bh=XU8Qs5XWV/JREQahezDlQlytkDCKzj+QOrmRbTiXYZ8=; b=rDhr2HTgIF1gHszy9twOyrZBvGtHc+e4xlHuNZFcud9je9Jjt5zzCppNS6vmybJpGWrzje 3peB1sVXmeOKjieV6eqH422z0+ot2YeZ4aq6tv4k7XbpaT0tGYGSCRSmaEc8OZcpUbhpuH zoQn6696SSANPuf7wrdCbxT8gJRx72uGcV2nLKr/KQlK1QCTu9UmYaKImnwgN33dj038F7 DiogU2S0UEbylSmJXSpRaDMicvSM56a9jrOXhmoc143yAnog43D/nX7njY++yL15bxVJ91 BnJn7llrWSybIiJ6wmgfN3gQJ+rMFiUfbO5vqe4F7nkgRSCdPYCcLtG5XzaixA== From: Antonin Godard Date: Wed, 22 Apr 2026 16:22:45 +0200 Subject: [PATCH 12/16] migration-guides/release-notes-6.0.rst: add license changes MIME-Version: 1.0 Message-Id: <20260422-third-release-notes-6-0-v1-12-06635e8648d1@bootlin.com> References: <20260422-third-release-notes-6-0-v1-0-06635e8648d1@bootlin.com> In-Reply-To: <20260422-third-release-notes-6-0-v1-0-06635e8648d1@bootlin.com> To: docs@lists.yoctoproject.org Cc: Thomas Petazzoni , Antonin Godard X-Mailer: b4 0.16-dev X-Developer-Signature: v=1; a=openpgp-sha256; l=1996; i=antonin.godard@bootlin.com; h=from:subject:message-id; bh=3zLyMX3uyWzuGHr9edvy5AbFf/HnkrdT8ddr5CKQ5nk=; b=owEBbQKS/ZANAwAKAdGAQUApo6g2AcsmYgBp6Nm6OS4zu5zT73hFLb+STtbJLCQVhUqQD30Kb J4kAvj43oqJAjMEAAEKAB0WIQSGSHJRiN1AG7mg0//RgEFAKaOoNgUCaejZugAKCRDRgEFAKaOo NgcXD/92ONjIP/eiTMiy+2ftBM9ZLKK22zS8KI0Gjphb1mORJN5qxClj0wss0wBS7BmR4FjCEIZ 2qm9X+OMkPZGgH2W5yAQQIjswZHem02iUcjb799TJhzscNF9tPowzpzQclw9Snw6PVue6FgTf7Z heMz5qOmBG0e1YVMCWzEkj9IqQhkG3If1K7vLoI017oBAI+ZhgwK06tWYkdGca2Z8AGZ1F1XRNv FU4hmnbhA9ZLhrTMqyM7Heu+3orvfcgfNPi1RTSq3RL327OG8SrUNNcIkay5wrrmdTFnlwqS+lY L30wAjP9PHKlc3M4oKy/R3LdOk/kviud1LFJRsFWrvUcZDJ8vsO7ljqBk3T17yEYpOBEN2aZtzE 2e1/mNpnKLjPXR3fJ4s6ueA5CZWiTbQH1bGjjYaZAOBPeOSo7YFHEX51loXsizjaLI+w7crDfSy MMfp5Ln0jSyAGp8hOc9nWiLGZuOa9aIcgvSHiQYagPzS7tW7s52pLS3/0jHNe0o8Gj0JPJUEkYj /KWvurGEmzDMrDTWYIt+iJVVmXgtbbRnHdiz2FdbsfS2Cr7sStoH0Q0DK9RkjaYd5HVhTMEx7NE VTivVyIJoOOi4ObSZ4MaZAhJcGwK4ycPUg4lLmmA5nMNcMaGV7QUXjQI4DXAFI0pVzj8bRFsh6W n6ou5eo+92mwC2A== X-Developer-Key: i=antonin.godard@bootlin.com; a=openpgp; fpr=8648725188DD401BB9A0D3FFD180414029A3A836 X-Last-TLS-Session-Version: TLSv1.3 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 22 Apr 2026 14:23:10 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/docs/message/9320 Add license changes between yocto-5.3 and 9a83f0878b6b ("busybox: fix for CVE-2026-26157, CVE-2026-26158") on OE-Core. Signed-off-by: Antonin Godard --- .../migration-guides/release-notes-6.0.rst | 30 +++++++++++++++++++--- 1 file changed, 26 insertions(+), 4 deletions(-) diff --git a/documentation/migration-guides/release-notes-6.0.rst b/documentation/migration-guides/release-notes-6.0.rst index c8b2c94cd..d8efd2e86 100644 --- a/documentation/migration-guides/release-notes-6.0.rst +++ b/documentation/migration-guides/release-notes-6.0.rst @@ -748,18 +748,40 @@ Known Issues in |yocto-ver| Recipe License changes in |yocto-ver| ------------------------------------- +.. + Going through commits on OE-Core filtered by License-Update: + git log -U0 --patch --grep "License-Update:" yocto-5.3..origin/master + The following changes have been made to the :term:`LICENSE` values set by recipes: .. list-table:: :widths: 20 40 40 :header-rows: 1 - * - Recipe - - Previous value - - New value - * - ``recipe name`` + * - Recipe(s) - Previous value - New value + * - ``libxcrypt-compat``, ``libxcrypt`` + - ``LGPL-2.1-only`` + - ``LGPL-2.1-only & 0BSD & BSD-3-Clause`` + * - ``libpcre2`` + - ``BSD-3-Clause`` + - ``BSD-3-Clause & BSD-2-Clause & MIT`` + * - ``libtest-fatal-perl`` + - ``Artistic-1.0 | GPL-1.0-or-later`` + - ``Artistic-1.0-Perl | GPL-1.0-or-later`` + * - ``python3-cffi`` + - ``MIT`` + - ``MIT-0`` + * - ``icu`` + - ``ICU`` + - ``ICU & MIT`` + * - ``iso-code`` + - ``LGPL-2.1-only`` + - ``LGPL-2.1-or-later`` + * - ``ruby`` + - ``Ruby | BSD-2-Clause | BSD-3-Clause | GPL-2.0-only | ISC | MIT`` + - ``Ruby | BSD-2-Clause | BSD-3-Clause | GPL-2.0-only | ISC | MIT | BSL-1.0 | Apache-2.0`` Security Fixes in |yocto-ver| ----------------------------- From patchwork Wed Apr 22 14:22:46 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Antonin Godard X-Patchwork-Id: 86656 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 5CB42F9EDEB for ; Wed, 22 Apr 2026 14:23:10 +0000 (UTC) Received: from smtpout-04.galae.net (smtpout-04.galae.net [185.171.202.116]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.83823.1776867783910150639 for ; Wed, 22 Apr 2026 07:23:04 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: body hash did not verify" header.i=@bootlin.com header.s=dkim header.b=FHFL4ZiS; spf=pass (domain: bootlin.com, ip: 185.171.202.116, mailfrom: antonin.godard@bootlin.com) Received: from smtpout-01.galae.net (smtpout-01.galae.net [212.83.139.233]) by smtpout-04.galae.net (Postfix) with ESMTPS id C6606C5C3CD for ; Wed, 22 Apr 2026 14:23:42 +0000 (UTC) Received: from mail.galae.net (mail.galae.net [212.83.136.155]) by smtpout-01.galae.net (Postfix) with ESMTPS id EF7185FA8F for ; Wed, 22 Apr 2026 14:23:01 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) by localhost (Mailerdaemon) with ESMTPSA id BFC0110460BAD; Wed, 22 Apr 2026 16:23:00 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bootlin.com; s=dkim; t=1776867781; h=from:subject:date:message-id:to:cc:mime-version:content-type: content-transfer-encoding:in-reply-to:references; bh=c3z9+x5uJ8fulvLlxpMbtmCQ91QKaBJYygns4/U4v2c=; b=FHFL4ZiSGHSNkiElzIFwE/dHxt52bmZT14G7RABtCJYQvNENzCxauSftL0mm+0md8uvPzT oKlHumrx7ngYLnQ7NicFdQ/BJlfUD05XIEUO53QArDnlsoqxkJADxYbsG6ghzk0Th746Hk Lln7T8jYJBBkA+UMt/94f0bYmTMe/xzXFBz5bgH7W1ycLc8VVdYWc21Ah9PYvNn5vUGCJZ PDUQ3izvL4M5V1m8cHI6i+iKQNfbIIt/DTZnzu++aGPKNAy2850CBP76mQIm6M90xNPlcG RDyCA6h0nerwG13S6/2pJ3n+pu7CMzV4n6qgHSBwsQ67+6gKca6+1aQQaVv/3Q== From: Antonin Godard Date: Wed, 22 Apr 2026 16:22:46 +0200 Subject: [PATCH 13/16] migration-guides/release-notes-6.0.rst: update CFE fixes MIME-Version: 1.0 Message-Id: <20260422-third-release-notes-6-0-v1-13-06635e8648d1@bootlin.com> References: <20260422-third-release-notes-6-0-v1-0-06635e8648d1@bootlin.com> In-Reply-To: <20260422-third-release-notes-6-0-v1-0-06635e8648d1@bootlin.com> To: docs@lists.yoctoproject.org Cc: Thomas Petazzoni , Antonin Godard X-Mailer: b4 0.16-dev X-Developer-Signature: v=1; a=openpgp-sha256; l=13043; i=antonin.godard@bootlin.com; h=from:subject:message-id; bh=p5EqwZMXJHMPLN07AW5HzS6EG4+FDKJXMWEldc9/JQ8=; b=owEBbQKS/ZANAwAKAdGAQUApo6g2AcsmYgBp6Nm6zuUmBX3JS7iRSeBEQ6OXYjp7u/Q370rKZ e1qZm+SKOWJAjMEAAEKAB0WIQSGSHJRiN1AG7mg0//RgEFAKaOoNgUCaejZugAKCRDRgEFAKaOo NoFBD/wL0TdhyhoFxJeehJd+MWiToYTGXwo9Qd8zvP+PsS/9iYOlCic0lJt2sGbmYmPPEcrvdIy BmiYSEpChCxwW8xLgXLvAp1SH5zamZach8lFyW5+MfWL0DRlcxb0InkbGdC/zXV9LKWi71j+/FO F7x16rIekEtrxeoXXtRZiFEM4VIfgOqdJNLDMClzdsMy07GQHFxi4AFOHNH9xVF1UTf2g1z3bBP c0gs5I/EVNTxKP+H1DP1U4WwkAVnx31ZfkqwCzHrXO0ocf2YDKKWf1GvCbGMpNFFKe8Yq1tHIup fTA6EOj8DI9h+3QLEOmkxC9zcO/8DxBkWstbtXq1rpDsL6yNA2XM0pusjj1tFAEhWaOJ+j3nX4E j4tyqoUhRdfuGQfsGwM832+gaJdGtHkVIlqgiEBSenOKiZ3xI0JKVNWFjgdKYoNV5m1KLOZV5gE yKz4+aG4qbdtptz0D8bJs4ju023Az5CD3S38s1UNv832q8p1EfSjEmmzCLs13v6ly8bvaU+hmyc Zx5DgCFN1A3TeWUP7pLfhnSTurh5UuCBQFdoJnhN07yMkPtWR2UO76UUp6mHby/glATJmlY6l4T tjs+zpQTJ3m3M4ETUyDux0I+tDfNO8Zw62by25+Z8WLU794X3Hh1cc70GeLus7siON8beIvNZiU 5WLm5THheqNewnQ== X-Developer-Key: i=antonin.godard@bootlin.com; a=openpgp; fpr=8648725188DD401BB9A0D3FFD180414029A3A836 X-Last-TLS-Session-Version: TLSv1.3 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 22 Apr 2026 14:23:10 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/docs/message/9322 Use documentation/tools/gen-cve-release-notes to generate the array. Signed-off-by: Antonin Godard --- .../migration-guides/release-notes-6.0.rst | 69 +++++++++++++++++++++- 1 file changed, 67 insertions(+), 2 deletions(-) + * - ``vim`` + - :cve_nist:`2026-28417`, :cve_nist:`2026-28418`, :cve_nist:`2026-28419`, :cve_nist:`2026-28420`, :cve_nist:`2026-28421`, :cve_nist:`2026-28422`, :cve_nist:`2026-33412`, :cve_nist:`2026-34714`, :cve_nist:`2026-35177` + * - ``xz`` + - :cve_nist:`2026-34743` Recipe Upgrades in |yocto-ver| ------------------------------ diff --git a/documentation/migration-guides/release-notes-6.0.rst b/documentation/migration-guides/release-notes-6.0.rst index d8efd2e86..a37beb30b 100644 --- a/documentation/migration-guides/release-notes-6.0.rst +++ b/documentation/migration-guides/release-notes-6.0.rst @@ -786,6 +786,9 @@ The following changes have been made to the :term:`LICENSE` values set by recipe Security Fixes in |yocto-ver| ----------------------------- +.. + Generated with documentation/tools/gen-cve-release-notes + The following CVEs have been fixed: .. list-table:: @@ -794,8 +797,70 @@ The following CVEs have been fixed: * - Recipe - CVE IDs - * - ``recipe name`` - - :cve_nist:`xxx-xxxx`, ... + * - ``avahi`` + - :cve_nist:`2025-59529`, :cve_nist:`2026-34933` + * - ``binutils`` + - :cve_nist:`2025-69644`, :cve_nist:`2025-69647`, :cve_nist:`2025-69648`, :cve_nist:`2025-69649`, :cve_nist:`2025-69650`, :cve_nist:`2025-69651`, :cve_nist:`2025-69652`, :cve_nist:`2026-3441`, :cve_nist:`2026-3442`, :cve_nist:`2026-4647` + * - ``binutils-cross-x86_64`` + - :cve_nist:`2025-69644`, :cve_nist:`2025-69647`, :cve_nist:`2025-69648`, :cve_nist:`2025-69649`, :cve_nist:`2025-69650`, :cve_nist:`2025-69651`, :cve_nist:`2025-69652`, :cve_nist:`2026-3441`, :cve_nist:`2026-3442`, :cve_nist:`2026-4647` + * - ``binutils-testsuite`` + - :cve_nist:`2025-69644`, :cve_nist:`2025-69647`, :cve_nist:`2025-69648`, :cve_nist:`2025-69649`, :cve_nist:`2025-69650`, :cve_nist:`2025-69651`, :cve_nist:`2025-69652`, :cve_nist:`2026-3441`, :cve_nist:`2026-3442`, :cve_nist:`2026-4647` + * - ``cargo`` + - :cve_nist:`2026-39837`, :cve_nist:`2026-39839`, :cve_nist:`2026-39840`, :cve_nist:`2026-39841` + * - ``cups`` + - :cve_nist:`2026-34978`, :cve_nist:`2026-34979`, :cve_nist:`2026-34980`, :cve_nist:`2026-34990`, :cve_nist:`2026-39314`, :cve_nist:`2026-39316` + * - ``ffmpeg`` + - :cve_nist:`2025-69693`, :cve_nist:`2026-40962` + * - ``glibc`` + - :cve_nist:`2026-4046`, :cve_nist:`2026-4437`, :cve_nist:`2026-4438` + * - ``go`` + - :cve_nist:`2026-27140`, :cve_nist:`2026-27143`, :cve_nist:`2026-27144`, :cve_nist:`2026-32280`, :cve_nist:`2026-32281`, :cve_nist:`2026-32282`, :cve_nist:`2026-32283`, :cve_nist:`2026-32288`, :cve_nist:`2026-32289` + * - ``go-binary-native`` + - :cve_nist:`2026-27140`, :cve_nist:`2026-27143`, :cve_nist:`2026-27144`, :cve_nist:`2026-32280`, :cve_nist:`2026-32281`, :cve_nist:`2026-32282`, :cve_nist:`2026-32283`, :cve_nist:`2026-32288`, :cve_nist:`2026-32289` + * - ``go-cross-x86-64-v3`` + - :cve_nist:`2026-27140`, :cve_nist:`2026-27143`, :cve_nist:`2026-27144`, :cve_nist:`2026-32280`, :cve_nist:`2026-32281`, :cve_nist:`2026-32282`, :cve_nist:`2026-32283`, :cve_nist:`2026-32288`, :cve_nist:`2026-32289` + * - ``go-runtime`` + - :cve_nist:`2026-27140`, :cve_nist:`2026-27143`, :cve_nist:`2026-27144`, :cve_nist:`2026-32280`, :cve_nist:`2026-32281`, :cve_nist:`2026-32282`, :cve_nist:`2026-32283`, :cve_nist:`2026-32288`, :cve_nist:`2026-32289` + * - ``gstreamer1.0`` + - :cve_nist:`2026-2920`, :cve_nist:`2026-2921`, :cve_nist:`2026-2922`, :cve_nist:`2026-2923`, :cve_nist:`2026-3081`, :cve_nist:`2026-3082`, :cve_nist:`2026-3083`, :cve_nist:`2026-3084`, :cve_nist:`2026-3085`, :cve_nist:`2026-3086` + * - ``libarchive`` + - :cve_nist:`2026-5121` + * - ``libexif`` + - :cve_nist:`2026-40385`, :cve_nist:`2026-40386` + * - ``libinput`` + - :cve_nist:`2026-35093`, :cve_nist:`2026-35094` + * - ``libpng`` + - :cve_nist:`2026-33416`, :cve_nist:`2026-33636` + * - ``libsndfile1`` + - :cve_nist:`2024-50613`, :cve_nist:`2025-52194` + * - ``libsoup`` + - :cve_nist:`2026-1467`, :cve_nist:`2026-1536`, :cve_nist:`2026-1539`, :cve_nist:`2026-1801`, :cve_nist:`2026-2443`, :cve_nist:`2026-3099`, :cve_nist:`2026-3632`, :cve_nist:`2026-3633`, :cve_nist:`2026-3634`, :cve_nist:`2026-4271`, :cve_nist:`2026-5119` + * - ``linux-yocto`` + - :cve_nist:`2019-14899`, :cve_nist:`2021-3714`, :cve_nist:`2021-3864`, :cve_nist:`2022-0400`, :cve_nist:`2022-1247`, :cve_nist:`2022-4543`, :cve_nist:`2023-3397`, :cve_nist:`2023-3640`, :cve_nist:`2023-4010`, :cve_nist:`2023-6238`, :cve_nist:`2023-6240`, :cve_nist:`2025-40039`, :cve_nist:`2025-40040`, :cve_nist:`2025-40082`, :cve_nist:`2025-40149`, :cve_nist:`2025-40164`, :cve_nist:`2025-40251`, :cve_nist:`2025-68211`, :cve_nist:`2025-68214`, :cve_nist:`2025-68223`, :cve_nist:`2025-68333`, :cve_nist:`2025-68340`, :cve_nist:`2025-68351`, :cve_nist:`2025-68358`, :cve_nist:`2025-68365`, :cve_nist:`2025-68725`, :cve_nist:`2025-68749`, :cve_nist:`2025-68817`, :cve_nist:`2025-68823`, :cve_nist:`2025-71071`, :cve_nist:`2025-71072`, :cve_nist:`2025-71073`, :cve_nist:`2025-71074`, :cve_nist:`2025-71075`, :cve_nist:`2025-71076`, :cve_nist:`2025-71077`, :cve_nist:`2025-71078`, :cve_nist:`2025-71079`, :cve_nist:`2025-71080`, :cve_nist:`2025-71081`, :cve_nist:`2025-71082`, :cve_nist:`2025- 71083`, :cve_nist:`2025-71084`, :cve_nist:`2025-71085`, :cve_nist:`2025-71086`, :cve_nist:`2025-71087`, :cve_nist:`2025-71088`, :cve_nist:`2025-71089`, :cve_nist:`2025-71091`, :cve_nist:`2025-71093`, :cve_nist:`2025-71094`, :cve_nist:`2025-71095`, :cve_nist:`2025-71096`, :cve_nist:`2025-71097`, :cve_nist:`2025-71098`, :cve_nist:`2025-71099`, :cve_nist:`2025-71100`, :cve_nist:`2025-71101`, :cve_nist:`2025-71102`, :cve_nist:`2025-71104`, :cve_nist:`2025-71105`, :cve_nist:`2025-71107`, :cve_nist:`2025-71108`, :cve_nist:`2025-71109`, :cve_nist:`2025-71111`, :cve_nist:`2025-71112`, :cve_nist:`2025-71113`, :cve_nist:`2025-71114`, :cve_nist:`2025-71115`, :cve_nist:`2025-71116`, :cve_nist:`2025-71117`, :cve_nist:`2025-71118`, :cve_nist:`2025-71119`, :cve_nist:`2025-71120`, :cve_nist:`2025-71121`, :cve_nist:`2025-71122`, :cve_nist:`2025-71124`, :cve_nist:`2025-71125`, :cve_nist:`2025-71126`, :cve_nist:`2025-71127`, :cve_nist:`2025-71128`, :cve_nist:`2025-71129`, :cve_nist:`2025-71130`, :cve_ nist:`2025-71131`, :cve_nist:`2025-71132`, :cve_nist:`2025-71133`, :cve_nist:`2025-71134`, :cve_nist:`2025-71135`, :cve_nist:`2025-71136`, :cve_nist:`2025-71137`, :cve_nist:`2025-71138`, :cve_nist:`2025-71141`, :cve_nist:`2025-71142`, :cve_nist:`2025-71143`, :cve_nist:`2025-71147`, :cve_nist:`2025-71148`, :cve_nist:`2025-71149`, :cve_nist:`2025-71150`, :cve_nist:`2025-71151`, :cve_nist:`2025-71152`, :cve_nist:`2025-71153`, :cve_nist:`2025-71154`, :cve_nist:`2025-71156`, :cve_nist:`2025-71157`, :cve_nist:`2025-71158`, :cve_nist:`2025-71160`, :cve_nist:`2025-71161`, :cve_nist:`2025-71162`, :cve_nist:`2025-71163`, :cve_nist:`2025-71180`, :cve_nist:`2025-71182`, :cve_nist:`2025-71183`, :cve_nist:`2025-71184`, :cve_nist:`2025-71185`, :cve_nist:`2025-71186`, :cve_nist:`2025-71187`, :cve_nist:`2025-71188`, :cve_nist:`2025-71189`, :cve_nist:`2025-71190`, :cve_nist:`2025-71191`, :cve_nist:`2025-71200`, :cve_nist:`2025-71201`, :cve_nist:`2025-71202`, :cve_nist:`2025-71203`, :cve_nist:`2025-71 204`, :cve_nist:`2025-71220`, :cve_nist:`2025-71221`, :cve_nist:`2025-71222`, :cve_nist:`2025-71223`, :cve_nist:`2025-71225`, :cve_nist:`2025-71227`, :cve_nist:`2025-71229`, :cve_nist:`2025-71230`, :cve_nist:`2025-71231`, :cve_nist:`2025-71232`, :cve_nist:`2025-71233`, :cve_nist:`2025-71234`, :cve_nist:`2025-71235`, :cve_nist:`2025-71236`, :cve_nist:`2025-71237`, :cve_nist:`2025-71238`, :cve_nist:`2026-22976`, :cve_nist:`2026-22977`, :cve_nist:`2026-22978`, :cve_nist:`2026-22979`, :cve_nist:`2026-22980`, :cve_nist:`2026-22981`, :cve_nist:`2026-22982`, :cve_nist:`2026-22984`, :cve_nist:`2026-22985`, :cve_nist:`2026-22986`, :cve_nist:`2026-22989`, :cve_nist:`2026-22990`, :cve_nist:`2026-22991`, :cve_nist:`2026-22992`, :cve_nist:`2026-22993`, :cve_nist:`2026-22994`, :cve_nist:`2026-22996`, :cve_nist:`2026-22997`, :cve_nist:`2026-22998`, :cve_nist:`2026-22999`, :cve_nist:`2026-23000`, :cve_nist:`2026-23001`, :cve_nist:`2026-23002`, :cve_nist:`2026-23003`, :cve_nist:`2026-23005`, :cve_ni st:`2026-23006`, :cve_nist:`2026-23007`, :cve_nist:`2026-23008`, :cve_nist:`2026-23009`, :cve_nist:`2026-23010`, :cve_nist:`2026-23011`, :cve_nist:`2026-23013`, :cve_nist:`2026-23015`, :cve_nist:`2026-23017`, :cve_nist:`2026-23018`, :cve_nist:`2026-23019`, :cve_nist:`2026-23020`, :cve_nist:`2026-23021`, :cve_nist:`2026-23023`, :cve_nist:`2026-23025`, :cve_nist:`2026-23026`, :cve_nist:`2026-23060`, :cve_nist:`2026-23061`, :cve_nist:`2026-23062`, :cve_nist:`2026-23063`, :cve_nist:`2026-23064`, :cve_nist:`2026-23065`, :cve_nist:`2026-23066`, :cve_nist:`2026-23067`, :cve_nist:`2026-23068`, :cve_nist:`2026-23069`, :cve_nist:`2026-23070`, :cve_nist:`2026-23071`, :cve_nist:`2026-23072`, :cve_nist:`2026-23073`, :cve_nist:`2026-23074`, :cve_nist:`2026-23075`, :cve_nist:`2026-23076`, :cve_nist:`2026-23077`, :cve_nist:`2026-23078`, :cve_nist:`2026-23080`, :cve_nist:`2026-23081`, :cve_nist:`2026-23083`, :cve_nist:`2026-23084`, :cve_nist:`2026-23085`, :cve_nist:`2026-23086`, :cve_nist:`2026-2308 7`, :cve_nist:`2026-23088`, :cve_nist:`2026-23089`, :cve_nist:`2026-23090`, :cve_nist:`2026-23091`, :cve_nist:`2026-23092`, :cve_nist:`2026-23093`, :cve_nist:`2026-23094`, :cve_nist:`2026-23095`, :cve_nist:`2026-23096`, :cve_nist:`2026-23097`, :cve_nist:`2026-23098`, :cve_nist:`2026-23099`, :cve_nist:`2026-23100`, :cve_nist:`2026-23101`, :cve_nist:`2026-23102`, :cve_nist:`2026-23103`, :cve_nist:`2026-23104`, :cve_nist:`2026-23105`, :cve_nist:`2026-23107`, :cve_nist:`2026-23108`, :cve_nist:`2026-23109`, :cve_nist:`2026-23110`, :cve_nist:`2026-23111`, :cve_nist:`2026-23112`, :cve_nist:`2026-23113`, :cve_nist:`2026-23114`, :cve_nist:`2026-23115`, :cve_nist:`2026-23116`, :cve_nist:`2026-23118`, :cve_nist:`2026-23119`, :cve_nist:`2026-23120`, :cve_nist:`2026-23121`, :cve_nist:`2026-23122`, :cve_nist:`2026-23123`, :cve_nist:`2026-23124`, :cve_nist:`2026-23125`, :cve_nist:`2026-23126`, :cve_nist:`2026-23128`, :cve_nist:`2026-23129`, :cve_nist:`2026-23130`, :cve_nist:`2026-23131`, :cve_nist :`2026-23133`, :cve_nist:`2026-23135`, :cve_nist:`2026-23136`, :cve_nist:`2026-23137`, :cve_nist:`2026-23138`, :cve_nist:`2026-23139`, :cve_nist:`2026-23140`, :cve_nist:`2026-23141`, :cve_nist:`2026-23142`, :cve_nist:`2026-23143`, :cve_nist:`2026-23144`, :cve_nist:`2026-23146`, :cve_nist:`2026-23147`, :cve_nist:`2026-23148`, :cve_nist:`2026-23150`, :cve_nist:`2026-23151`, :cve_nist:`2026-23152`, :cve_nist:`2026-23154`, :cve_nist:`2026-23156`, :cve_nist:`2026-23157`, :cve_nist:`2026-23158`, :cve_nist:`2026-23160`, :cve_nist:`2026-23161`, :cve_nist:`2026-23163`, :cve_nist:`2026-23164`, :cve_nist:`2026-23166`, :cve_nist:`2026-23167`, :cve_nist:`2026-23168`, :cve_nist:`2026-23169`, :cve_nist:`2026-23170`, :cve_nist:`2026-23171`, :cve_nist:`2026-23172`, :cve_nist:`2026-23173`, :cve_nist:`2026-23186`, :cve_nist:`2026-23187`, :cve_nist:`2026-23188`, :cve_nist:`2026-23190`, :cve_nist:`2026-23191`, :cve_nist:`2026-23192`, :cve_nist:`2026-23193`, :cve_nist:`2026-23195`, :cve_nist:`2026-23196` , :cve_nist:`2026-23197`, :cve_nist:`2026-23198`, :cve_nist:`2026-23199`, :cve_nist:`2026-23201`, :cve_nist:`2026-23204`, :cve_nist:`2026-23205`, :cve_nist:`2026-23206`, :cve_nist:`2026-23208`, :cve_nist:`2026-23209`, :cve_nist:`2026-23210`, :cve_nist:`2026-23212`, :cve_nist:`2026-23213`, :cve_nist:`2026-23214`, :cve_nist:`2026-23215`, :cve_nist:`2026-23216`, :cve_nist:`2026-23217`, :cve_nist:`2026-23219`, :cve_nist:`2026-23220`, :cve_nist:`2026-23221`, :cve_nist:`2026-23222`, :cve_nist:`2026-23223`, :cve_nist:`2026-23224`, :cve_nist:`2026-23226`, :cve_nist:`2026-23227`, :cve_nist:`2026-23228`, :cve_nist:`2026-23229`, :cve_nist:`2026-23230`, :cve_nist:`2026-23231`, :cve_nist:`2026-23233`, :cve_nist:`2026-23234`, :cve_nist:`2026-23235`, :cve_nist:`2026-23236`, :cve_nist:`2026-23237`, :cve_nist:`2026-23238` + * - ``mesa`` + - :cve_nist:`2026-40393` + * - ``nfs-utils`` + - :cve_nist:`2025-12801` + * - ``nghttp2`` + - :cve_nist:`2026-27135` + * - ``openssh`` + - :cve_nist:`2026-35414` + * - ``python3`` + - :cve_nist:`2026-4519` + * - ``python3-requests`` + - :cve_nist:`2026-25645` + * - ``qemu`` + - :cve_nist:`2024-6519` + * - ``qemu-system-native`` + - :cve_nist:`2024-6519` + * - ``sqlite3`` + - :cve_nist:`2025-70873` + * - ``systemd-boot`` + - :cve_nist:`2026-29111`, :cve_nist:`2026-40226` From patchwork Wed Apr 22 14:22:47 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Antonin Godard X-Patchwork-Id: 86659 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 69F7DF9EDED for ; Wed, 22 Apr 2026 14:23:10 +0000 (UTC) Received: from smtpout-04.galae.net (smtpout-04.galae.net [185.171.202.116]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.83719.1776867785755530805 for ; Wed, 22 Apr 2026 07:23:06 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: body hash did not verify" header.i=@bootlin.com header.s=dkim header.b=MzV7qRm+; spf=pass (domain: bootlin.com, ip: 185.171.202.116, mailfrom: antonin.godard@bootlin.com) Received: from smtpout-01.galae.net (smtpout-01.galae.net [212.83.139.233]) by smtpout-04.galae.net (Postfix) with ESMTPS id A26B8C5C3C8 for ; Wed, 22 Apr 2026 14:23:44 +0000 (UTC) Received: from mail.galae.net (mail.galae.net [212.83.136.155]) by smtpout-01.galae.net (Postfix) with ESMTPS id CEB7F5FA8F for ; Wed, 22 Apr 2026 14:23:03 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) by localhost (Mailerdaemon) with ESMTPSA id B51E410460BE4; Wed, 22 Apr 2026 16:23:01 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bootlin.com; s=dkim; t=1776867782; h=from:subject:date:message-id:to:cc:mime-version:content-type: content-transfer-encoding:in-reply-to:references; bh=I4DZBD8hE/g5bpX6yScIHZCyH6DlG7pbNM9+0Dqiiu8=; b=MzV7qRm+dP3VsZ8dq4ZZx65BpNtIkyWZAjGZO3Rmu/Dyc6Evky8VzqyBoXfvTUah2nL+u4 cPGXRhdar1wyq4+MFBT4BT/ljikA2d6o7TVxMmmlSWqYeSp2kIwTSZujUgik420UaGblyk umoNkvdfFXXaLqQ71HssuxAqHrEw6L3YZgbWzFk1oyMrstSpUoI0fMqb7krqQHt/zuxDHM yZ+6U74aNyRZjJvX/GTw5OkQ6v7M1iDSfSBYGAGxx6swFU8za3O3Q7JGARD8SzaL/or73B uv7P6gM3GBXr77SGbIE85YQ/FSeqVtoLOJdZDDEztdW39BJyKDvr7Kj2CWFU1A== From: Antonin Godard Date: Wed, 22 Apr 2026 16:22:47 +0200 Subject: [PATCH 14/16] migration-guides/release-notes-6.0.rst: add recipe version changes MIME-Version: 1.0 Message-Id: <20260422-third-release-notes-6-0-v1-14-06635e8648d1@bootlin.com> References: <20260422-third-release-notes-6-0-v1-0-06635e8648d1@bootlin.com> In-Reply-To: <20260422-third-release-notes-6-0-v1-0-06635e8648d1@bootlin.com> To: docs@lists.yoctoproject.org Cc: Thomas Petazzoni , Antonin Godard X-Mailer: b4 0.16-dev X-Developer-Signature: v=1; a=openpgp-sha256; l=22602; i=antonin.godard@bootlin.com; h=from:subject:message-id; bh=QNx+pVva8hUwLEI0BSLVYnnQ9rBXKnv2GwANeHVjBgY=; b=owEBbQKS/ZANAwAKAdGAQUApo6g2AcsmYgBp6Nm6QFm7ouYuqPq4o2mdDHXLDuGRYMzZpwaI/ 448q7DtQ9eJAjMEAAEKAB0WIQSGSHJRiN1AG7mg0//RgEFAKaOoNgUCaejZugAKCRDRgEFAKaOo NmVOEACzoo/LZYSxxxgr76JgZwrUjZAbtJIoUBWF8GlFlt2HDI8TEIgerHqWQkwMxqtOeRJ+pLf lGH6tUofmq1y0EI49V8+4WEAiLIiBVEE5m2njUMIt2wgSp4p34HUaCFElw1ZHxrn2F8mHf8z3TY P8dn5R1/xUG35DEGT3mKK8WnWXRqa6AzwzZlf9YXmvBrGJ8Jh5sIv52BFfyDj702nThVEYoNBAI 3NQdtUgCFk2q3bTGDbw46Yp+1Yi8JwP6qutn+C8GxoQ7zhMB9Zt5lUHdkM9sqi6MRsAw9drJpbj GnArKVp1H/cfy/gt9bFCqEF+FLQv4HHWS+jSvc7pciI++E+9WJ1AcvszrdLl6B95jCW8/eDQGSY usvxGBp1QjNU4GS0KAL7Dl46cCwyUHZ35TYrITpT2LVf7mMLJ/k4v5E5/o4F0z+RL4Q9C7CyHK1 d9dJyvwUaywUHeVy5/KTPedfft7TiNuUoex0MT0DHkGCAROfwlCQz4mqNjMlDnPuHw+GrstgN5D WCI8eFI6pMTnz7kDhjYTwFy0XM1Dls7xwvZ9XH7oDEBHVHOgBAGeRJTOPwHNwouNc6U+gT/5Ne1 mDp7pKt/dz/E15j4HlPE5Kl9/KnWGVCfKa4IIuxWVsZWkR7UeOYGFZ3drYB5Z+WR/LpNKC5/MRJ jqYREdUGoYVIVvw== X-Developer-Key: i=antonin.godard@bootlin.com; a=openpgp; fpr=8648725188DD401BB9A0D3FFD180414029A3A836 X-Last-TLS-Session-Version: TLSv1.3 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 22 Apr 2026 14:23:10 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/docs/message/9323 Signed-off-by: Antonin Godard --- .../migration-guides/release-notes-6.0.rst | 1130 +++++++++++++++++++- 1 file changed, 1125 insertions(+), 5 deletions(-) diff --git a/documentation/migration-guides/release-notes-6.0.rst b/documentation/migration-guides/release-notes-6.0.rst index a37beb30b..395694583 100644 --- a/documentation/migration-guides/release-notes-6.0.rst +++ b/documentation/migration-guides/release-notes-6.0.rst @@ -865,6 +865,10 @@ The following CVEs have been fixed: Recipe Upgrades in |yocto-ver| ------------------------------ +.. + Generated with https://layers.openembedded.org/layerindex/branch_comparison + With "rST" output selected + The following recipes have been upgraded: .. list-table:: @@ -872,11 +876,1127 @@ The following recipes have been upgraded: :header-rows: 1 * - Recipe - - Previous version - - New version - * - ``recipe name`` - - Previous version - - New version + - Previous version(s) + - New version(s) + * - ``acpica`` + - 20250807 + - 20251212 + * - ``adwaita-icon-theme`` + - 48.0 + - 49.0 + * - ``alsa-lib`` + - 1.2.14 + - 1.2.15.3 + * - ``alsa-tools`` + - 1.2.14 + - 1.2.15 + * - ``alsa-ucm-conf`` + - 1.2.14 + - 1.2.15.3 + * - ``alsa-utils`` + - 1.2.14 + - 1.2.15.2 + * - ``appstream`` + - 1.0.6 + - 1.1.2 + * - ``aspell`` + - 0.60.8.1 + - 0.60.8.2 + * - ``at-spi2-core`` + - 2.56.4 + - 2.60.0 + * - ``autoconf`` + - 2.72 + - 2.73 + * - ``barebox`` + - 2025.09.3 + - 2026.03.1 + * - ``barebox-tools`` + - 2025.09.3 + - 2026.03.1 + * - ``base-passwd`` + - 3.6.7 + - 3.6.8 + * - ``bash-completion`` + - 2.16.0 + - 2.17.0 + * - ``bind`` + - 9.20.15 + - 9.20.22 + * - ``binutils`` + - 2.45.1+git + - 2.46 + * - ``binutils-cross`` + - 2.45.1+git + - 2.46 + * - ``binutils-cross-canadian`` + - 2.45.1+git + - 2.46 + * - ``binutils-crosssdk`` + - 2.45.1+git + - 2.46 + * - ``binutils-testsuite`` + - 2.45.1+git + - 2.46 + * - ``bluez5`` + - 5.84 + - 5.86 + * - ``boost`` + - 1.89.0 + - 1.90.0 + * - ``boost-build-native`` + - 1.89.0 + - 1.90.0 + * - ``btrfs-tools`` + - 6.16 + - 6.19.1 + * - ``cargo`` + - 1.90.0 + - 1.94.1 + * - ``cargo-c`` + - 0.10.16+cargo-0.91.0 + - 0.10.21+cargo-0.95.0 + * - ``ccache`` + - 4.12.3 + - 4.13.2 + * - ``clang`` + - 21.1.7 + - 22.1.3 + * - ``cmake`` + - 4.1.2 + - 4.3.1 + * - ``cmake-native`` + - 4.1.2 + - 4.3.1 + * - ``compiler-rt`` + - 21.1.7 + - 22.1.3 + * - ``compiler-rt-sanitizers`` + - 21.1.7 + - 22.1.3 + * - ``connman`` + - 1.45 + - 2.0 + * - ``coreutils`` + - 9.7 + - 9.10 + * - ``createrepo-c`` + - 1.2.1 + - 1.2.3 + * - ``cross-localedef-native`` + - 2.42+git + - 2.43+git + * - ``cryptodev-linux`` + - 1.14 (135cbff90af2…) + - 1.14 (08644db02d43…) + * - ``cryptodev-module`` + - 1.14 (135cbff90af2…) + - 1.14 (08644db02d43…) + * - ``cryptodev-tests`` + - 1.14 (135cbff90af2…) + - 1.14 (08644db02d43…) + * - ``cups`` + - 2.4.15 + - 2.4.16 + * - ``curl`` + - 8.17.0 + - 8.19.0 + * - ``dhcpcd`` + - 10.2.4 + - 10.3.0 + * - ``diffoscope`` + - 306 + - 314 + * - ``dmidecode`` + - 3.6 + - 3.7 + * - ``dnf`` + - 4.23.0 + - 4.24.0 + * - ``dos2unix`` + - 7.5.2 + - 7.5.4 + * - ``dpkg`` + - 1.22.21 + - 1.23.7 + * - ``dropbear`` + - 2025.88 + - 2025.89 + * - ``e2fsprogs`` + - 1.47.3 + - 1.47.4 + * - ``ed`` + - 1.22.2 + - 1.22.5 + * - ``elfutils`` + - 0.193 + - 0.194 + * - ``ell`` + - 0.80 + - 0.83 + * - ``enchant2`` + - 2.8.14 + - 2.8.15 + * - ``epiphany`` + - 48.5 + - 49.7 + * - ``erofs-utils`` + - 1.8.10 + - 1.9.1 + * - ``ethtool`` + - 6.15 + - 6.19 + * - ``expat`` + - 2.7.4 + - 2.7.5 + * - ``fastfloat`` + - 8.0.2 + - 8.2.4 + * - ``ffmpeg`` + - 8.0 + - 8.0.1 + * - ``file`` + - 5.46 + - 5.47 + * - ``fmt`` + - 11.2.0 + - 12.1.0 + * - ``font-alias`` + - 1.0.5 + - 1.0.6 + * - ``freetype`` + - 2.13.3 + - 2.14.3 + * - ``gawk`` + - 5.3.2 + - 5.4.0 + * - ``gdb`` + - 16.3 + - 17.1 + * - ``gdb-cross`` + - 16.3 + - 17.1 + * - ``gdb-cross-canadian`` + - 16.3 + - 17.1 + * - ``gdk-pixbuf`` + - 2.42.12 + - 2.44.5 + * - ``gettext`` + - 0.26 + - 1.0 + * - ``gettext-minimal-native`` + - 0.26 + - 1.0 + * - ``gi-docgen`` + - 2025.4 + - 2026.1 + * - ``git`` + - 2.51.0 + - 2.53.0 + * - ``glew`` + - 2.2.0 + - 2.3.1 + * - ``glib-2.0`` + - 2.86.4 + - 2.88.0 + * - ``glib-2.0-initial`` + - 2.86.4 + - 2.88.0 + * - ``glibc`` + - 2.42+git + - 2.43+git + * - ``glibc-locale`` + - 2.42+git + - 2.43+git + * - ``glibc-mtrace`` + - 2.42+git + - 2.43+git + * - ``glibc-scripts`` + - 2.42+git + - 2.43+git + * - ``glibc-testsuite`` + - 2.42+git + - 2.43+git + * - ``glslang`` + - 1.4.328.1 + - 1.4.341.0 + * - ``gn`` + - 0+git (81b24e01531e…) + - 0+git (9d19a7870add…) + * - ``gnu-efi`` + - 4.0.2 + - 4.0.4 + * - ``gnupg`` + - 2.5.11 + - 2.5.17 + * - ``gnutls`` + - 3.8.10 + - 3.8.12 + * - ``go`` + - 1.25.9 + - 1.26.2 + * - ``go-binary-native`` + - 1.25.9 + - 1.26.2 + * - ``go-cross-canadian`` + - 1.25.9 + - 1.26.2 + * - ``go-cross-core2-32`` + - 1.25.9 + - 1.26.2 + * - ``go-crosssdk`` + - 1.25.9 + - 1.26.2 + * - ``go-helloworld`` + - 0.1 (8b405629c4a5…) + - 0.1 (7f05d217867b…) + * - ``go-runtime`` + - 1.25.9 + - 1.26.2 + * - ``gobject-introspection`` + - 1.84.0 + - 1.86.0 + * - ``groff`` + - 1.23.0 + - 1.24.0 + * - ``grub`` + - 2.12 + - 2.14 + * - ``grub-efi`` + - 2.12 + - 2.14 + * - ``gsettings-desktop-schemas`` + - 48.0 + - 50.0 + * - ``gst-devtools`` + - 1.26.7 + - 1.28.2 + * - ``gst-examples`` + - 1.26.7 + - 1.28.2 + * - ``gstreamer1.0`` + - 1.26.7 + - 1.28.2 + * - ``gstreamer1.0-libav`` + - 1.26.7 + - 1.28.2 + * - ``gstreamer1.0-plugins-bad`` + - 1.26.7 + - 1.28.2 + * - ``gstreamer1.0-plugins-base`` + - 1.26.7 + - 1.28.2 + * - ``gstreamer1.0-plugins-good`` + - 1.26.7 + - 1.28.2 + * - ``gstreamer1.0-plugins-ugly`` + - 1.26.7 + - 1.28.2 + * - ``gstreamer1.0-python`` + - 1.26.7 + - 1.28.2 + * - ``gstreamer1.0-rtsp-server`` + - 1.26.7 + - 1.28.2 + * - ``gtk-doc`` + - 1.34.0 + - 1.35.1 + * - ``gtk4`` + - 4.18.6 + - 4.22.1 + * - ``harfbuzz`` + - 11.4.5 + - 12.3.2 + * - ``hwdata`` + - 0.399 + - 0.405 + * - ``hwlatdetect`` + - 2.9 + - 2.10 + * - ``icu`` + - 77-1 + - 78.3 + * - ``ifupdown`` + - 0.8.44 + - 0.8.45 + * - ``igt-gpu-tools`` + - 2.1 + - 2.3 + * - ``inetutils`` + - 2.6 + - 2.7 + * - ``iproute2`` + - 6.16.0 + - 6.19.0 + * - ``iptables`` + - 1.8.11 + - 1.8.13 + * - ``iso-codes`` + - 4.18.0 + - 4.20.1 + * - ``kbd`` + - 2.8.0 + - 2.9.0 + * - ``kea`` + - 3.0.1 + - 3.0.3 + * - ``kern-tools-native`` + - 0.3+git (f589e1df2325…) + - 0.3+git (a4a362d9f4f0…) + * - ``kexec-tools`` + - 2.0.31 + - 2.0.32 + * - ``kmscube`` + - 0.0.1+git (2c1f2646c5e5…) + - 0.0.1+git (f60e50e887d3…) + * - ``less`` + - 679 + - 692 + * - ``libadwaita`` + - 1.7.6 + - 1.8.4 + * - ``libarchive`` + - 3.8.6 + - 3.8.7 + * - ``libatomic-ops`` + - 7.8.4 + - 7.10.0 + * - ``libcap`` + - 2.76 + - 2.77 + * - ``libcap-ng`` + - 0.8.5 + - 0.9.1 + * - ``libcap-ng-python`` + - 0.8.5 + - 0.9.1 + * - ``libclc`` + - 21.1.7 + - 22.1.3 + * - ``libcomps`` + - 0.1.22 + - 0.1.24 + * - ``libcxx`` + - 21.1.7 + - 22.1.3 + * - ``libdisplay-info`` + - 0.2.0 + - 0.3.0 + * - ``libdnf`` + - 0.74.0 + - 0.75.0 + * - ``libdrm`` + - 2.4.125 + - 2.4.131 + * - ``libedit`` + - 20250104-3.1 + - 20251016-3.1 + * - ``libevdev`` + - 1.13.5 + - 1.13.6 + * - ``libexif`` + - 0.6.25 + - 0.6.26 + * - ``libfontenc`` + - 1.1.8 + - 1.1.9 + * - ``libgcrypt`` + - 1.11.2 + - 1.12.1 + * - ``libgit2`` + - 1.9.1 + - 1.9.2 + * - ``libgloss`` + - 4.5.0+git + - 4.6.0+git + * - ``libgpg-error`` + - 1.56 + - 1.59 + * - ``libinput`` + - 1.29.1 + - 1.30.2 + * - ``libjpeg-turbo`` + - 3.1.2 + - 3.1.3 + * - ``libksba`` + - 1.6.7 + - 1.6.8 + * - ``libnl`` + - 3.11.0 + - 3.12.0 + * - ``libnotify`` + - 0.8.6 + - 0.8.8 + * - ``libpam`` + - 1.7.1 + - 1.7.2 + * - ``libpciaccess`` + - 0.18.1 + - 0.19 + * - ``libpcre2`` + - 10.46 + - 10.47 + * - ``libproxy`` + - 0.5.10 + - 0.5.12 + * - ``librsvg`` + - 2.61.0 + - 2.61.3 + * - ``libsolv`` + - 0.7.35 + - 0.7.36 + * - ``libstd-rs`` + - 1.90.0 + - 1.94.1 + * - ``libtasn1`` + - 4.20.0 + - 4.21.0 + * - ``libtest-fatal-perl`` + - 0.017 + - 0.018 + * - ``libtirpc`` + - 1.3.6 + - 1.3.7 + * - ``libtraceevent`` + - 1.8.4 + - 1.9.0 + * - ``libubootenv`` + - 0.3.6 + - 0.3.7 + * - ``libunistring`` + - 1.3 + - 1.4.2 + * - ``liburcu`` + - 0.15.3 + - 0.15.6 + * - ``libuv`` + - 1.51.0 + - 1.52.1 + * - ``libva`` + - 2.22.0 + - 2.23.0 + * - ``libva-initial`` + - 2.22.0 + - 2.23.0 + * - ``libva-utils`` + - 2.22.0 + - 2.23.0 + * - ``libx11`` + - 1.8.12 + - 1.8.13 + * - ``libx11-compose-data`` + - 1.8.4 + - 1.8.12 + * - ``libxcomposite`` + - 0.4.6 + - 0.4.7 + * - ``libxcrypt`` + - 4.4.38 + - 4.5.2 + * - ``libxcrypt-compat`` + - 4.4.38 + - 4.5.2 + * - ``libxdamage`` + - 1.1.6 + - 1.1.7 + * - ``libxext`` + - 1.3.6 + - 1.3.7 + * - ``libxinerama`` + - 1.1.5 + - 1.1.6 + * - ``libxkbcommon`` + - 1.11.0 + - 1.13.1 + * - ``libxkbfile`` + - 1.1.3 + - 1.2.0 + * - ``libxml2`` + - 2.14.6 + - 2.15.2 + * - ``libxmu`` + - 1.2.1 + - 1.3.1 + * - ``libxpm`` + - 3.5.17 + - 3.5.18 + * - ``libxrandr`` + - 1.5.4 + - 1.5.5 + * - ``libxslt`` + - 1.1.43 + - 1.1.45 + * - ``libxvmc`` + - 1.0.14 + - 1.0.15 + * - ``libxxf86vm`` + - 1.1.6 + - 1.1.7 + * - ``lighttpd`` + - 1.4.81 + - 1.4.82 + * - ``linux-firmware`` + - 20251111 + - 20260410 + * - ``linux-libc-headers`` + - 6.17 + - 6.18 + * - ``linux-yocto`` + - 6.12.69+git, 6.16.11+git + - 6.18.19+git + * - ``linux-yocto-dev`` + - 6.18+git + - 7.0+git + * - ``linux-yocto-rt`` + - 6.12.69+git, 6.16.11+git + - 6.18.19+git + * - ``linux-yocto-tiny`` + - 6.12.69+git, 6.16.11+git + - 6.18.19+git + * - ``lld`` + - 21.1.7 + - 22.1.3 + * - ``lldb`` + - 21.1.7 + - 22.1.3 + * - ``llvm`` + - 21.1.7 + - 22.1.3 + * - ``llvm-tblgen-native`` + - 21.1.7 + - 22.1.3 + * - ``lsof`` + - 4.99.5 + - 4.99.6 + * - ``ltp`` + - 20250930 + - 20260130 + * - ``lttng-modules`` + - 2.14.3 + - 2.14.4 + * - ``lttng-tools`` + - 2.14.0 + - 2.14.1 + * - ``lua`` + - 5.4.8 + - 5.5.0 + * - ``lzlib`` + - 1.15 + - 1.16 + * - ``m4`` + - 1.4.20 + - 1.4.21 + * - ``m4-native`` + - 1.4.20 + - 1.4.21 + * - ``makedumpfile`` + - 1.7.7 + - 1.7.8 + * - ``man-pages`` + - 6.15 + - 6.17 + * - ``mdadm`` + - 4.4 + - 4.6 + * - ``mesa`` + - 25.2.8 + - 26.0.3 + * - ``mesa-gl`` + - 25.2.8 + - 26.0.3 + * - ``meson`` + - 1.9.1 + - 1.10.2 + * - ``mpg123`` + - 1.33.2 + - 1.33.4 + * - ``msmtp`` + - 1.8.31 + - 1.8.32 + * - ``mtd-utils`` + - 2.3.0 + - 2.3.1 + * - ``musl`` + - 1.2.5+git + - 1.2.6+git + * - ``nasm`` + - 2.16.03 + - 3.01 + * - ``ncurses`` + - 6.5 + - 6.6 + * - ``newlib`` + - 4.5.0+git + - 4.6.0+git + * - ``nfs-utils`` + - 2.8.4 + - 2.8.7 + * - ``nghttp2`` + - 1.66.0 + - 1.68.1 + * - ``ninja`` + - 1.13.1 + - 1.13.2 + * - ``ofono`` + - 2.18 + - 2.19 + * - ``openmp`` + - 21.1.7 + - 22.1.3 + * - ``opensbi`` + - 1.7 + - 1.8.1 + * - ``openssh`` + - 10.2p1 + - 10.3p1 + * - ``opkg`` + - 0.8.0 + - 0.9.0 + * - ``orc`` + - 0.4.41 + - 0.4.42 + * - ``ovmf`` + - edk2-stable202508 + - edk2-stable202511 + * - ``p11-kit`` + - 0.25.5 + - 0.26.2 + * - ``perl`` + - 5.40.2 + - 5.42.0 + * - ``perlcross`` + - 1.6.2 + - 1.6.4 + * - ``picolibc`` + - 1.8.6+git + - 1.8.11+git + * - ``picolibc-helloworld`` + - 1.8.6+git + - 1.8.11+git + * - ``procps`` + - 4.0.5 + - 4.0.6 + * - ``puzzles`` + - 0.0+git (a7c7826bce5c…) + - 0.0+git (ecb576fb2a0a…) + * - ``python3`` + - 3.13.12 + - 3.14.4 + * - ``python3-attrs`` + - 25.3.0 + - 25.4.0 + * - ``python3-babel`` + - 2.17.0 + - 2.18.0 + * - ``python3-bcrypt`` + - 4.3.0 + - 5.0.0 + * - ``python3-beartype`` + - 0.21.0 + - 0.22.9 + * - ``python3-build`` + - 1.3.0 + - 1.4.0 + * - ``python3-calver`` + - 2025.04.17 + - 2025.10.20 + * - ``python3-certifi`` + - 2025.8.3 + - 2026.2.25 + * - ``python3-cffi`` + - 1.17.1 + - 2.0.0 + * - ``python3-chardet`` + - 5.2.0 + - 6.0.0.post1 + * - ``python3-click`` + - 8.2.2 + - 8.3.1 + * - ``python3-cryptography`` + - 45.0.7 + - 46.0.5 + * - ``python3-cryptography-vectors`` + - 45.0.7 + - 46.0.5 + * - ``python3-cython`` + - 3.1.3 + - 3.2.4 + * - ``python3-dbusmock`` + - 0.37.0 + - 0.38.1 + * - ``python3-docutils`` + - 0.22 + - 0.22.4 + * - ``python3-dtschema`` + - 2025.8 + - 2025.12 + * - ``python3-hatchling`` + - 1.27.0 + - 1.29.0 + * - ``python3-hypothesis`` + - 6.142.2 + - 6.151.9 + * - ``python3-imagesize`` + - 1.4.1 + - 2.0.0 + * - ``python3-iniconfig`` + - 2.1.0 + - 2.3.0 + * - ``python3-jsonschema`` + - 4.25.1 + - 4.26.0 + * - ``python3-markdown`` + - 3.9 + - 3.10.2 + * - ``python3-markupsafe`` + - 3.0.2 + - 3.0.3 + * - ``python3-maturin`` + - 1.9.4 + - 1.12.4 + * - ``python3-meson-python`` + - 0.18.0 + - 0.19.0 + * - ``python3-numpy`` + - 2.3.4 + - 2.4.3 + * - ``python3-packaging`` + - 25.0 + - 26.0 + * - ``python3-pathspec`` + - 0.12.1 + - 1.0.4 + * - ``python3-pbr`` + - 7.0.1 + - 7.0.3 + * - ``python3-pdm`` + - 2.25.9 + - 2.26.6 + * - ``python3-pdm-backend`` + - 2.4.5 + - 2.4.7 + * - ``python3-pdm-build-locked`` + - 0.3.5 + - 0.3.7 + * - ``python3-pip`` + - 25.2 + - 26.0.1 + * - ``python3-poetry-core`` + - 2.1.3 + - 2.3.1 + * - ``python3-psutil`` + - 7.0.0 + - 7.2.2 + * - ``python3-pyasn1`` + - 0.6.1 + - 0.6.2 + * - ``python3-pycairo`` + - 1.28.0 + - 1.29.0 + * - ``python3-pycparser`` + - 2.22 + - 3.0 + * - ``python3-pygobject`` + - 3.52.3 + - 3.56.1 + * - ``python3-pyopenssl`` + - 25.1.0 + - 26.0.0 + * - ``python3-pyparsing`` + - 3.2.4 + - 3.3.2 + * - ``python3-pyproject-metadata`` + - 0.9.1 + - 0.11.0 + * - ``python3-pytest`` + - 8.4.2 + - 9.0.2 + * - ``python3-pytest-subtests`` + - 0.14.2 + - 0.15.0 + * - ``python3-pytz`` + - 2025.2 + - 2026.1 + * - ``python3-pyyaml`` + - 6.0.2 + - 6.0.3 + * - ``python3-rdflib`` + - 7.1.4 + - 7.6.0 + * - ``python3-rpds-py`` + - 0.27.1 + - 0.30.0 + * - ``python3-ruamel-yaml`` + - 0.18.15 + - 0.19.1 + * - ``python3-scons`` + - 4.9.1 + - 4.10.1 + * - ``python3-setuptools`` + - 80.9.0 + - 82.0.1 + * - ``python3-setuptools-scm`` + - 8.3.1 + - 9.2.2 + * - ``python3-sphinx`` + - 8.2.1 + - 9.1.0 + * - ``python3-sphinx-rtd-theme`` + - 3.0.2 + - 3.1.0 + * - ``python3-testtools`` + - 2.7.2 + - 2.8.7 + * - ``python3-trove-classifiers`` + - 2025.9.11.17 + - 2026.1.14.14 + * - ``python3-unittest-automake-output`` + - 0.3 + - 0.4 + * - ``python3-uritools`` + - 5.0.0 + - 6.0.1 + * - ``python3-urllib3`` + - 2.5.0 + - 2.6.3 + * - ``python3-wcwidth`` + - 0.2.13 + - 0.6.0 + * - ``python3-webcolors`` + - 24.11.1 + - 25.10.0 + * - ``python3-websockets`` + - 15.0.1 + - 16.0 + * - ``python3-wheel`` + - 0.46.1 + - 0.46.3 + * - ``python3-xmltodict`` + - 0.15.1 + - 1.0.4 + * - ``python3-yamllint`` + - 1.37.1 + - 1.38.0 + * - ``qemu`` + - 10.0.6 + - 10.2.0 + * - ``qemu-native`` + - 10.0.6 + - 10.2.0 + * - ``qemu-system-native`` + - 10.0.6 + - 10.2.0 + * - ``quota`` + - 4.10 + - 4.11 + * - ``re2c`` + - 4.3 + - 4.4 + * - ``repo`` + - 2.58 + - 2.61.1 + * - ``resolvconf`` + - 1.93 + - 1.94 + * - ``rgb`` + - 1.1.0 + - 1.1.1 + * - ``rpm-sequoia`` + - 1.9.0 + - 1.10.1 + * - ``rpm-sequoia-crypto-policy`` + - git (ae1df75b1155…) + - git (f3f5fa454345…) + * - ``rt-tests`` + - 2.9 + - 2.10 + * - ``ruby`` + - 3.4.5 + - 4.0.2 + * - ``rust`` + - 1.90.0 + - 1.94.1 + * - ``rust-cross-canadian`` + - 1.90.0 + - 1.94.1 + * - ``sbc`` + - 2.1 + - 2.2 + * - ``scdoc`` + - 1.11.3 + - 1.11.4 + * - ``seatd`` + - 0.9.1 + - 0.9.3 + * - ``shaderc`` + - 2025.3 + - 2026.1 + * - ``shadow`` + - 4.18.0 + - 4.19.4 + * - ``socat`` + - 1.8.0.3 + - 1.8.1.1 + * - ``spirv-headers`` + - 1.4.328.1 + - 1.4.341.0 + * - ``spirv-llvm-translator`` + - 21.1.1 + - 22.1.1 + * - ``spirv-tools`` + - 1.4.328.1 + - 1.4.341.0 + * - ``sqlite3`` + - 3.48.0 + - 3.51.3 + * - ``squashfs-tools`` + - 4.7.2 + - 4.7.5 + * - ``strace`` + - 6.16 + - 6.19 + * - ``stress-ng`` + - 0.19.04 + - 0.20.01 + * - ``swig`` + - 4.3.1 + - 4.4.1 + * - ``sysstat`` + - 12.7.8 + - 12.7.9 + * - ``systemd`` + - 257.8 + - 259.5 + * - ``systemd-boot`` + - 257.8 + - 259.5 + * - ``systemd-boot-native`` + - 257.8 + - 259.5 + * - ``systemd-systemctl-native`` + - 257.8 + - 259.5 + * - ``systemtap`` + - 5.3 + - 5.4 + * - ``systemtap-native`` + - 5.3 + - 5.4 + * - ``taglib`` + - 2.1.1 + - 2.2.1 + * - ``tcl`` + - 9.0.2 + - 9.0.3 + * - ``texinfo`` + - 7.2 + - 7.3 + * - ``ttyrun`` + - 2.38.0 + - 2.41.0 + * - ``u-boot`` + - 2025.10 + - 2026.01 + * - ``u-boot-tools`` + - 2025.10 + - 2026.01 + * - ``usbutils`` + - 018 + - 019 + * - ``utfcpp`` + - 4.0.6 + - 4.0.9 + * - ``util-linux`` + - 2.41.1 + - 2.41.3 + * - ``util-linux-libuuid`` + - 2.41.1 + - 2.41.3 + * - ``valgrind`` + - 3.25.1 + - 3.26.0 + * - ``vim`` + - 9.1.1683 + - 9.2.0340 + * - ``vim-tiny`` + - 9.1.1683 + - 9.2.0340 + * - ``virglrenderer`` + - 1.1.1 + - 1.2.0 + * - ``vte`` + - 0.82.1 + - 0.82.2 + * - ``vulkan-headers`` + - 1.4.328.1 + - 1.4.341.0 + * - ``vulkan-loader`` + - 1.4.328.1 + - 1.4.341.0 + * - ``vulkan-samples`` + - git (d27205d14d01…) + - git (fa2cf45adde0…) + * - ``vulkan-tools`` + - 1.4.328.1 + - 1.4.341.0 + * - ``vulkan-utility-libraries`` + - 1.4.328.1 + - 1.4.341.0 + * - ``vulkan-validation-layers`` + - 1.4.328.1 + - 1.4.341.0 + * - ``vulkan-volk`` + - 1.4.328.1 + - 1.4.341.0 + * - ``wayland-protocols`` + - 1.45 + - 1.47 + * - ``wayland-utils`` + - 1.2.0 + - 1.3.0 + * - ``webkitgtk`` + - 2.50.4 + - 2.50.6 + * - ``weston`` + - 14.0.2 + - 15.0.0 + * - ``wpebackend-fdo`` + - 1.16.0 + - 1.16.1 + * - ``x264`` + - r3039+git (31e19f92f00c…) + - r3039+git (0480cb05fa18…) + * - ``xauth`` + - 1.1.4 + - 1.1.5 + * - ``xcb-util-cursor`` + - 0.1.5 + - 0.1.6 + * - ``xeyes`` + - 1.3.0 + - 1.3.1 + * - ``xkbcomp`` + - 1.4.7 + - 1.5.0 + * - ``xkeyboard-config`` + - 2.45 + - 2.47 + * - ``xorgproto`` + - 2024.1 + - 2025.1 + * - ``xserver-xorg`` + - 21.1.18 + - 21.1.21 + * - ``xwayland`` + - 24.1.8 + - 24.1.9 + * - ``xz`` + - 5.8.1 + - 5.8.2 + * - ``zlib`` + - 1.3.1 + - 1.3.2 Contributors to |yocto-ver| --------------------------- From patchwork Wed Apr 22 14:22:48 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Antonin Godard X-Patchwork-Id: 86658 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7A1C4F9EDF1 for ; Wed, 22 Apr 2026 14:23:10 +0000 (UTC) Received: from smtpout-04.galae.net (smtpout-04.galae.net [185.171.202.116]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.83720.1776867786578103130 for ; Wed, 22 Apr 2026 07:23:06 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@bootlin.com header.s=dkim header.b=R0udIeom; spf=pass (domain: bootlin.com, ip: 185.171.202.116, mailfrom: antonin.godard@bootlin.com) Received: from smtpout-01.galae.net (smtpout-01.galae.net [212.83.139.233]) by smtpout-04.galae.net (Postfix) with ESMTPS id 786F3C5C3CC for ; Wed, 22 Apr 2026 14:23:45 +0000 (UTC) Received: from mail.galae.net (mail.galae.net [212.83.136.155]) by smtpout-01.galae.net (Postfix) with ESMTPS id A2FC05FA8F for ; Wed, 22 Apr 2026 14:23:04 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) by localhost (Mailerdaemon) with ESMTPSA id 9F6D510460BE5; Wed, 22 Apr 2026 16:23:03 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bootlin.com; s=dkim; t=1776867783; h=from:subject:date:message-id:to:cc:mime-version:content-type: content-transfer-encoding:in-reply-to:references; bh=VYUUB6c2k1L/mjgh5BN86MWilCINQ/ESAJQ0tW4HIAg=; b=R0udIeomNPNzYhK0k3k+jgGGVMf9QFn+urcDG+HJDy5qDaCbsCF0sqc993wx/amDMhj27W a1MnyHNdA5e1V6oycSXSJEosolfGNl/bp09qp9GHUVGbUq3XBtQ+ajy1rINzOTrh0bhI3i HYa6MTSW2JACQxpGA8EDNB4lxOYoQdfkcpwfXSGDcjWOOfiQ26O638ntg6BcgoqaYRyYWe 3KmqpCsqhptgbROKU7FzfuWWHi8D5sfYuw20diuKGmTs8+Yr34ek856c+iCnN3wBE+SfW1 6kW8OZW8GDwZfXbiTfVMGyV6XRdyGzqU07l13p3jHD/Cv5z5M+ffpJdur+WRfA== From: Antonin Godard Date: Wed, 22 Apr 2026 16:22:48 +0200 Subject: [PATCH 15/16] migration-guides/migration-6.0.rst: mention python3-roman-numerals-py rename MIME-Version: 1.0 Message-Id: <20260422-third-release-notes-6-0-v1-15-06635e8648d1@bootlin.com> References: <20260422-third-release-notes-6-0-v1-0-06635e8648d1@bootlin.com> In-Reply-To: <20260422-third-release-notes-6-0-v1-0-06635e8648d1@bootlin.com> To: docs@lists.yoctoproject.org Cc: Thomas Petazzoni , Antonin Godard X-Mailer: b4 0.16-dev X-Developer-Signature: v=1; a=openpgp-sha256; l=969; i=antonin.godard@bootlin.com; h=from:subject:message-id; bh=ruDc+pkx/FkCp9S0WBPdb2Ti+d61U7lB9Z/18mjCaY0=; b=owEBbQKS/ZANAwAKAdGAQUApo6g2AcsmYgBp6Nm6vBPvOjsiARjGljxvgUF8B3xifMQH79kDK /rY7+YxXSWJAjMEAAEKAB0WIQSGSHJRiN1AG7mg0//RgEFAKaOoNgUCaejZugAKCRDRgEFAKaOo NijsEAC2xp+6zSubLzVPvvEz3/5/j3kZYCRdQ/m93xW4O6yCO4PO8g9z9ty6VYDaeu/xpS5pyfU 76xTeyRjNjQZ07O19ckGvjYTTKJ8nWqejZtI0h7sOCk/5lxlPUXHPUo9Moja77HKPiSurkiERm2 55XNrd17sFMpuS0QBLxGUTiRlq7M14cQAn6za7ehoKJ62WpLDFQTYByzSHtNssMwEpXVzh+TtBU /eDrSFQD7qyr4cfvC7dVENsyRr3x7uitramSjYBZFR/I967V6pdQowHPB2W7pivTk7LxSdT9/Vk 2TXSTtx4Ir1SekhNjZX+v36e9cMFsdgEvjAnVkqsRCQm1WqduBjvTvCloe0oStqkJD7AT3Y+C5Y 9bl/E94Jl+/iZZPr3y2UuUl3Q8cpCZ+8NBWIsHsvOHBgZ7wVWYN9HuKwFkJ9ZTbxMABb995onBl JeOquvCiJvzMf7sqISp0MPgp0dQKKX7XxjKBLPQb1rsOInFILtNul5IeEqzATaoOxCJprKCQp8j yDQqytPtZ35qzHd2rwDH8JInyz8m1rV2H806F1XhBG7L7z6u4U1V11a9HimlKTYp+6H3LC6c3Yh LSAwifsjkk0U5Y8kAtCaoMca9WmI1qt2B2JQlj1nC/9ifKQxMhkdwx1VCtpqLmU6voC1BJuAD3F +A0HL/pXX0nNFzw== X-Developer-Key: i=antonin.godard@bootlin.com; a=openpgp; fpr=8648725188DD401BB9A0D3FFD180414029A3A836 X-Last-TLS-Session-Version: TLSv1.3 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 22 Apr 2026 14:23:10 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/docs/message/9324 Following faff756e829b ("python3-roman-numerals-py: upgrade 3.1.0 -> 4.1.0") in OE-Core. Signed-off-by: Antonin Godard --- documentation/migration-guides/migration-6.0.rst | 3 +++ 1 file changed, 3 insertions(+) diff --git a/documentation/migration-guides/migration-6.0.rst b/documentation/migration-guides/migration-6.0.rst index 731f2b990..33cf905b5 100644 --- a/documentation/migration-guides/migration-6.0.rst +++ b/documentation/migration-guides/migration-6.0.rst @@ -484,6 +484,9 @@ The following recipes have been removed in this release: ``cve-check`` class removal as it was the only user of these recipes. (:oecore_rev:`00de455f8d3aeca880129d23e8cfb7e246404699`) +- ``python3-roman-numerals-py``: renamed to ``python3-roman-numerals`` + (:oecore_rev:`faff756e829b852724ad706051d6a771071440cb`) + Removed :term:`PACKAGECONFIG` options ------------------------------------- From patchwork Wed Apr 22 14:22:49 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Antonin Godard X-Patchwork-Id: 86652 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 122E3F9EDE0 for ; Wed, 22 Apr 2026 14:23:10 +0000 (UTC) Received: from smtpout-04.galae.net (smtpout-04.galae.net [185.171.202.116]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.83722.1776867788081720762 for ; Wed, 22 Apr 2026 07:23:08 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: body hash did not verify" header.i=@bootlin.com header.s=dkim header.b=CNcLaRbX; spf=pass (domain: bootlin.com, ip: 185.171.202.116, mailfrom: antonin.godard@bootlin.com) Received: from smtpout-01.galae.net (smtpout-01.galae.net [212.83.139.233]) by smtpout-04.galae.net (Postfix) with ESMTPS id 033AAC5C3CD for ; Wed, 22 Apr 2026 14:23:47 +0000 (UTC) Received: from mail.galae.net (mail.galae.net [212.83.136.155]) by smtpout-01.galae.net (Postfix) with ESMTPS id 2F10B5FA8F for ; Wed, 22 Apr 2026 14:23:06 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) by localhost (Mailerdaemon) with ESMTPSA id 5F00010460B10; Wed, 22 Apr 2026 16:23:04 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bootlin.com; s=dkim; t=1776867784; h=from:subject:date:message-id:to:cc:mime-version:content-type: content-transfer-encoding:in-reply-to:references; bh=JA9/6ipB2cYs3dpU+/jlEx/Gvx4b0RWAfnWjaAylxeY=; b=CNcLaRbXzkO1dzyG37vc3e15F7gFMElQuukR8vBjUPOUzDujq3ssmeGJK/KY46TkVY8d+p Y+7iCJ7oyTaiucUpMstx9+hQAo0DnFDNZKvK+Ls8Yp87/vsuQds14vQA2k4+5NFR0of2i5 XgPnGKKs4Nh4bJV7/IIhyYRzi3TS/RDW51Fq7xgEzLgNVmA4STlocCRLtoZ5nAbsLdGnof d5sZQxrC/2+rFBwxJOsDgIJpoc32f6bsaevpAxcR4T/m0dBCW43dnCqAhNYh2uHRe4iGsY oWGxpgCQqbgInZ4cSqjzdrQX2TNf9BlvEU/ScKPYOYzG+BAqMF7FrAGTYs7SYA== From: Antonin Godard Date: Wed, 22 Apr 2026 16:22:49 +0200 Subject: [PATCH 16/16] migration-guides/release-notes-6.0.rst: add contributors MIME-Version: 1.0 Message-Id: <20260422-third-release-notes-6-0-v1-16-06635e8648d1@bootlin.com> References: <20260422-third-release-notes-6-0-v1-0-06635e8648d1@bootlin.com> In-Reply-To: <20260422-third-release-notes-6-0-v1-0-06635e8648d1@bootlin.com> To: docs@lists.yoctoproject.org Cc: Thomas Petazzoni , Antonin Godard X-Mailer: b4 0.16-dev X-Developer-Signature: v=1; a=openpgp-sha256; l=4655; i=antonin.godard@bootlin.com; h=from:subject:message-id; bh=/hNPR9dcorgoVoXMWx0yrFkPF0M+Y1ChA4uMbdfJlWY=; b=owEBbQKS/ZANAwAKAdGAQUApo6g2AcsmYgBp6Nm6HOKS0K6zxvWneA6K1v9qZv4SaTA7V9/se B1m3y2lUp2JAjMEAAEKAB0WIQSGSHJRiN1AG7mg0//RgEFAKaOoNgUCaejZugAKCRDRgEFAKaOo Nj4tD/9AuL9WQD0i4hLOSjSPbYTMdDvD6RJsLNcjSnxUztHewpCBKgOuvRU14hcCE4sapQ3MbsT 5tOWAtQ/AwTXY+/2iQqGY35r1v79078c56ro9ubNvlsaKtdu7xtl/INiCuupYi7AWCl22Guiequ xSgsv5OnEoVu+F903xFuZf3X5nfe4jHZwVdViF4g3jBcmitvUUpa7MBmnC1mWWOp1Sy7VdxoDU0 b2NMA+cJoT53UZJ9VQHBj6OHapnhX3qz/joK1OgCA1+gh2LdKOP4ZJKH1qExn1Cj9TzHWK+Da3q rXsoaGDdQZD4BxAh5ygTL06K6feiN4JdTONvccTjzYsX6Koxav4Up07KZgyuRKH5vJv3pvL+mIB ZVcR2zy4Mn6oOvVSQNPfFHAPUQBCyJGUCNi6jYQpPL5Q6LOY5Qbai9QwcIk59gzu3DnlSyFChGQ RxRYsAG062QUprndrzz4afY6UZHqID78jHgR1ohlSYURu4it9+ogusklbua29VRjAFjYhkNQIhz 461gFxx6CiGnt06LdNGEnSDk0mULhqmuOWkacVlBVzoR4UFjV7JRuA0o1oRiB0C5oTa3yAOu0vu J9rP7ct2NQoCXNMm22F7aFc3OQTRqoJhMbYiUW6EHvrVib4dnjZIbQlaoD+ALdT6D6Svq23cPrH 5Mb3NCAfA0s8OGw== X-Developer-Key: i=antonin.godard@bootlin.com; a=openpgp; fpr=8648725188DD401BB9A0D3FFD180414029A3A836 X-Last-TLS-Session-Version: TLSv1.3 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 22 Apr 2026 14:23:10 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/docs/message/9325 Signed-off-by: Antonin Godard --- .../migration-guides/release-notes-6.0.rst | 194 +++++++++++++++++++++ 1 file changed, 194 insertions(+) diff --git a/documentation/migration-guides/release-notes-6.0.rst b/documentation/migration-guides/release-notes-6.0.rst index 395694583..14eade484 100644 --- a/documentation/migration-guides/release-notes-6.0.rst +++ b/documentation/migration-guides/release-notes-6.0.rst @@ -2001,7 +2001,201 @@ The following recipes have been upgraded: Contributors to |yocto-ver| --------------------------- +.. + List obtained with the following shell snippet: + + authors="" + for repo in openembedded-core yocto-docs bitbake meta-yocto; do + authors="${authors}\n$(git --no-pager -C $repo log --format="- %an" yocto-5.3..origin/master)" + done + echo $authors | sort | uniq + + Email addresses and duplicates removed. + Thanks to the following people who contributed to this release: +- Adam Blank +- Adam Duskett +- Adarsh Jagadish Kamini +- Aditya Kurdunkar +- Adrian Freihofer +- Alejandro Hernandez Samaniego +- Aleksandar Nikolic +- Alexander Kanavin +- Alexander Sverdlin +- Alex Bradbury +- Alex Kiernan +- Amaury Couderc +- Andrej Kozemcak +- Anibal Limon +- Ankur Tyagi +- Antonin Godard +- Ashish Kumar Mishra +- Ashish Sharma +- BELHADJ SALEM Talel +- Benjamin Robin +- Bruce Ashfield +- Changqing Li +- Chen Qi +- Clement Faure +- Colin Pinnell McAllister +- Corentin Guillevic +- Daiane Angolini +- Daniel Dragomir +- Daniel Turull +- Dan McGregor +- Deepesh Varatharajan +- Dmitry Baryshkov +- Dragomir, Daniel +- El Mehdi YOUNES +- Enrico Jörns +- Ernst Persson +- Etienne Cordonnier +- Fabio Berton +- Fabio Estevam +- Favazza, Samuele +- Florian Schmaus +- Francesco Valla +- Germann, Bastian +- Guðni Már Gilbert +- Gyorgy Sarvari +- Haiqing Bai +- Harish Sadineni +- Hemanth Kumar M D +- Het Patel +- Hiago De Franco +- hongxu +- Hongxu Jia +- Jaeyoon Jung +- Jan Luebbe +- Jan Vermaete +- Jason Schonberg +- Javier Tia +- Jiaying Song +- Jinfeng Wang +- João Marcos Costa +- Jörg Sommer +- Jose Quaresma +- Joshua Watt +- Kai Kang +- Kamel Bouhara +- Kavinaya S +- Ken Kurematsu +- Khai Dang +- Khalifa Rouis +- Khem Raj +- Koen Kooi +- Kory Maincent +- Kristiyan Chakarov +- Krupal Ka Patel +- Lee Chee Yang +- Leon Anavi +- Le Qi +- Liu Yiding +- Livin Sunny +- Liyin Zhang +- Logan Gallois +- Louis Rannou +- Lucas Stach +- Luka Krstic +- Mahesh Angadi +- Mark Hatle +- Markus Volk +- mark.yang +- Martin Jansa +- Martin Schwan +- Mathieu Dubois-Briand +- Matt Madison +- Maxin B. John +- Maxin John +- Max Krummenacher +- Miaoqing Pan +- Michael Arndt +- Michael Halstead +- Michael Opdenacker +- Michal Sieron +- Mikko Rapeli +- Ming Liu +- Mingli Yu +- Miroslav Cernak +- Mohammad Rafi Shaik +- Mohammad Rahimi +- Moritz Haase +- Naftaly RALAMBOARIVONY +- Naman Jain +- Nikhil R +- Niko Mauno +- Nora Schiffer +- Osama Abdelkader +- Patrick Vogelaar +- Patrick Wicki +- Paul Barker +- Pavel Löbl +- Peter Bergin +- Peter de Ridder +- Peter Kjellerstedt +- Peter Marko +- Peter Tatrai +- Philip Lorenz +- Pierre-Loup GOSSE +- Piotr Buliński +- Pratik Farkase +- Quentin Schulz +- Randolph Sapp +- Randy MacLeod +- Ricardo Salveti +- Ricardo Simoes +- Ricardo Ungerer +- Richard Purdie +- Robert Joslyn +- Robert P. J. Day +- Robert Yang +- Rob Woolley +- Ross Burton +- Rouven Rastetter +- Ryan Eatmon +- Sam Povilus +- Samuli Piippo +- Sandeep Gundlupet Raju +- Scott Murray +- Shaik Moin +- Shotaro Uchida +- Stefano Babic +- Stefano Tondo +- Sunil Dora +- sven.kalmbach +- Swami +- Telukula Jeevan Kumar Sahu +- Theo GAIGE +- Thomas Perrot +- Tim Orling +- Tom Geelen +- Trevor Gamblin +- Trevor Woerner +- Ulrich Ölmann +- Uwe Kleine-König +- Veeresh Kadasani +- Victor Kamensky +- Vijay Anusuri +- Viswanath Kraleti +- Vivek Puar +- Vyacheslav Yurkov +- Wang Mingyu +- Weisser, Pascal +- Xiangyu Chen +- Yanis BINARD +- Yannic Moog +- Yash Gupta +- Yash Shinde +- Yasir Al-Latifi +- Yiding Liu +- Yi Zhao +- Yoann Congal +- Yongxin Liu +- Zhangfei Gao +- Zhang Peng +- Zk47T +- Zoltán Böszörményi + Repositories / Downloads for Yocto-|yocto-ver| ----------------------------------------------