From patchwork Fri Apr 24 08:28:29 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Antonin Godard X-Patchwork-Id: 86805 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3AA36FB44CF for ; Fri, 24 Apr 2026 08:28:59 +0000 (UTC) Received: from smtpout-03.galae.net (smtpout-03.galae.net [185.246.85.4]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.16686.1777019332614222874 for ; Fri, 24 Apr 2026 01:28:53 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@bootlin.com header.s=dkim header.b=FMX5SN9Y; spf=pass (domain: bootlin.com, ip: 185.246.85.4, mailfrom: antonin.godard@bootlin.com) Received: from smtpout-01.galae.net (smtpout-01.galae.net [212.83.139.233]) by smtpout-03.galae.net (Postfix) with ESMTPS id 9903A4E42AE9 for ; Fri, 24 Apr 2026 08:28:50 +0000 (UTC) Received: from mail.galae.net (mail.galae.net [212.83.136.155]) by smtpout-01.galae.net (Postfix) with ESMTPS id 70A22604EB for ; Fri, 24 Apr 2026 08:28:50 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) by localhost (Mailerdaemon) with ESMTPSA id B144310720735; Fri, 24 Apr 2026 10:28:49 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bootlin.com; s=dkim; t=1777019330; h=from:subject:date:message-id:to:cc:mime-version:content-type: content-transfer-encoding:in-reply-to:references; bh=O6ckvffa+LCbUaKIro7kuie7nMxCl4TgbFc1hGESM9Y=; b=FMX5SN9YbDucEX9FM/8yZCwCqjB4PoVB32WpWZCeCyp20i3Mg9+D2kGPU6TqRlXBNkcKOc c0z8o8/8/cXUOWLF9C6wyfGA8LwiCdADTzcoWGDweOP3t9N7goaKTdfy7AMCY/eFhMmeyx NOPDm9MdlYzrVRyezdLLYBEWEfH1MPO6ZZtNAdtoUFwFlYCRWGlEmUSPevJyvJdxsAuJNe MrWwiyFYy7LstK9F7BuctsdxJTWxvD72lTI5y/d8vlrxFVGyZX8nULZTNaDyMvvYgQzclR rI25LFjzSNF6Cd7d7bkYMMllSDa3X11buWf5X2ih55KuLa9GDwUCHfFgcvOhyA== From: Antonin Godard Date: Fri, 24 Apr 2026 10:28:29 +0200 Subject: [PATCH v2 01/18] conf.py: add a :yocto_bug: role MIME-Version: 1.0 Message-Id: <20260424-third-release-notes-6-0-v2-1-4feacf138e13@bootlin.com> References: <20260424-third-release-notes-6-0-v2-0-4feacf138e13@bootlin.com> In-Reply-To: <20260424-third-release-notes-6-0-v2-0-4feacf138e13@bootlin.com> To: docs@lists.yoctoproject.org Cc: Thomas Petazzoni , Antonin Godard X-Mailer: b4 0.16-dev X-Developer-Signature: v=1; a=openpgp-sha256; l=1376; i=antonin.godard@bootlin.com; h=from:subject:message-id; bh=LxribSozarWQvOeJGL5XUBnkbKKqypE6riNsa6hLax0=; b=owEBbQKS/ZANAwAKAdGAQUApo6g2AcsmYgBp6ym9Wn5vfINGJDGlWDTpV7WYDQP/Oi4tmOiTh KNHt9li4RaJAjMEAAEKAB0WIQSGSHJRiN1AG7mg0//RgEFAKaOoNgUCaespvQAKCRDRgEFAKaOo NiC3D/9Dvmps+2obNT0AkDy7cKqnv5lV7Ql/2oOD7IIi+0kmjFxoqxWhyeQb8Gz7IgQQOkNa640 40ckeuE289Zt+XHbR6iphhPbHRoZBjhDcGCw36/e6vn+pRWxaCLWbW0bh56b2sVjn3pgshI7zUF /SPDZ4qZsE/UaFdVgiB/485TolzfpHiFOF0g82HMAujcJhxFVhh7G0XGNY8/D5TmNd4XH8e68hS MWZ77nPrg6J4e4Dwua1kvn3+hymA8ckoeur2Yj9XYTE0jpuBdb11nSVMweYf4PnHwLEzbmXtUP8 eJbmyqOA/Re1O/sZ9E+wMK0MJApScFtLGNzgIEEracsfhBZqqfWByFmzvqdzrs7O8MW2J41dy/b kTY6HXClmSHsx7LRLGSP524brKvm4KH5iyZWIKwH7Sa6PslAmpU46TUK9hm+rBcIgoPaQG7Bq73 cM9ZDTxWWQsb+YpSKaOan+GdtH7GqzCHD5PG1c1yK5ZLsqMGSw2H2cU4vgyK5ktcLV6gWS2dGQQ 7DoyuAke2alo3x+OziVi01rnNHJb6IhlhQx17eXWnDbDWkYWJI9lRNbPSFeeVDpV411gJkXbWuT POsPLj4R5aTV0EUAN7QMVDIiT60MtIDzwIllcawtQCkbctYYwOGWrmOT7xN6EpsxoU3fc2mWDNK RKh7n15ykADelhw== X-Developer-Key: i=antonin.godard@bootlin.com; a=openpgp; fpr=8648725188DD401BB9A0D3FFD180414029A3A836 X-Last-TLS-Session-Version: TLSv1.3 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 24 Apr 2026 08:28:59 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/docs/message/9338 Similar to :yocto_bugs: but directly create a hyperlink to the bug displayed with its identifier. Use as :yocto_bug:`12345`. Signed-off-by: Antonin Godard --- documentation/conf.py | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/documentation/conf.py b/documentation/conf.py index 58c6406f1..7b201ebd6 100644 --- a/documentation/conf.py +++ b/documentation/conf.py @@ -97,6 +97,7 @@ oecore_git = f"{oe_git_server}/openembedded-core" bitbake_git = f"{oe_git_server}/bitbake" yocto_git_server = "https://git.yoctoproject.org" meta_yocto_git = f"{yocto_git_server}/meta-yocto" +bugzilla_server = "https://bugzilla.yoctoproject.org" # external links and substitutions extlinks = { @@ -109,7 +110,8 @@ extlinks = { 'yocto_wiki': ('https://wiki.yoctoproject.org/wiki%s', None), 'yocto_dl': ('https://downloads.yoctoproject.org%s', None), 'yocto_lists': ('https://lists.yoctoproject.org%s', None), - 'yocto_bugs': ('https://bugzilla.yoctoproject.org%s', None), + 'yocto_bugs': (f'{bugzilla_server}%s', None), + 'yocto_bug': (f'{bugzilla_server}/show_bug.cgi?id=%s', '%s'), 'yocto_ab': ('https://autobuilder.yoctoproject.org%s', None), 'yocto_docs': ('https://docs.yoctoproject.org%s', None), 'yocto_git': (f'{yocto_git_server}%s', None), From patchwork Fri Apr 24 08:28:30 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Antonin Godard X-Patchwork-Id: 86810 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id D8369FB44DE for ; Fri, 24 Apr 2026 08:28:59 +0000 (UTC) Received: from smtpout-03.galae.net (smtpout-03.galae.net [185.246.85.4]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.16363.1777019332922685344 for ; Fri, 24 Apr 2026 01:28:54 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@bootlin.com header.s=dkim header.b=m6rmi0Eq; spf=pass (domain: bootlin.com, ip: 185.246.85.4, mailfrom: antonin.godard@bootlin.com) Received: from smtpout-01.galae.net (smtpout-01.galae.net [212.83.139.233]) by smtpout-03.galae.net (Postfix) with ESMTPS id 3B0C74E42AEB for ; Fri, 24 Apr 2026 08:28:51 +0000 (UTC) Received: from mail.galae.net (mail.galae.net [212.83.136.155]) by smtpout-01.galae.net (Postfix) with ESMTPS id 13B01604EB for ; Fri, 24 Apr 2026 08:28:51 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) by localhost (Mailerdaemon) with ESMTPSA id 6CA6610720737; Fri, 24 Apr 2026 10:28:50 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bootlin.com; s=dkim; t=1777019330; h=from:subject:date:message-id:to:cc:mime-version:content-type: content-transfer-encoding:in-reply-to:references; bh=kvnDyrIrXzYTdsaJgy0EhORq6GAR2bWx6yG5g617lMc=; b=m6rmi0EqAFbZ0mrXRxXR39BcREVDFDTCaucYc6ZnW2bCFvkm6vODNsRb6RDP/VtC2zKm1B 10IgKSx+Igd5vM56uusPnD6SPXNlRcCTzhdz2SJDfXitHIMj7ZyvzUodiNjIUQXrflJf8X lN75LQxL4ZolxcERotvQtZK1FbYvIKVGitOzsHK+Wg6gjjrURSFJFr9fyqwkDb6jHuV6MK X2ITgOKsF3rY79WcHqq37SfzzBbAW3mWs7qgh9jagarWLgffoOmCzqjL+XdqZ10eiXjGAb DesVoLqKQf2IzKM5IFGz7L22n/mIJJncRH5OwK+LtKcPR3PWeFIoz/rWbIN94g== From: Antonin Godard Date: Fri, 24 Apr 2026 10:28:30 +0200 Subject: [PATCH v2 02/18] migration-guides/release-notes-6.0.rst: add known KVM issue MIME-Version: 1.0 Message-Id: <20260424-third-release-notes-6-0-v2-2-4feacf138e13@bootlin.com> References: <20260424-third-release-notes-6-0-v2-0-4feacf138e13@bootlin.com> In-Reply-To: <20260424-third-release-notes-6-0-v2-0-4feacf138e13@bootlin.com> To: docs@lists.yoctoproject.org Cc: Thomas Petazzoni , Antonin Godard X-Mailer: b4 0.16-dev X-Developer-Signature: v=1; a=openpgp-sha256; l=941; i=antonin.godard@bootlin.com; h=from:subject:message-id; bh=shYmkMqZYzh8kLKEJCRJxNFJODFY7BWNFo/XpDnqV+8=; b=owEBbQKS/ZANAwAKAdGAQUApo6g2AcsmYgBp6ym9PZ40eRcpg/Oj6AdxcJ1BZUh9WktP5G+xz 4QwUfoFftiJAjMEAAEKAB0WIQSGSHJRiN1AG7mg0//RgEFAKaOoNgUCaespvQAKCRDRgEFAKaOo NgjQEADMgkqKom4xWYJZrwYUaq7z/+wPUEdDzm7Tnk/N73Afr3s9IuSYLZGQXMvyKr/9S7hNntQ FPAGbRHTMhqRz6Bz804bivWvPBHStuTCTcA8hNc/5WN8XxTl/NbmkAh3k7q02ORVMyk+CF3ueaI eFkfmNce8s5sTpHSZuVHhIIBQn5AQOFjAT+LRFoJ/+gn2uGu4bmZrKhQDuBq64MIbW8JstvWpQC 1khhlM7H+8SX4KtuuJnThTF5ePyE6nctlYUxW3VfdUQCknpMeZs4XA0rChTAZ0NFwOUTVcmEm57 j8Au+qoEkGmGm70urPHqn9G51X8eHqTUzKdRLmXXnX1a6iikykAyn57IB2ak22D4A4tghQjZ4LB yoqXaVEv0oFulbZ7vwBAoHps1hFkK3vqNZ8KaS/ab1/4lneaMMbqK9bDTzqpWysSW+QjkXvdw0w qnAO5YweFAAGgPQB9lhvsfR46Jsn5tuOXDD2ZnGDjzDv+rF+1e5ELAPXUXX3lUvGakbGdMJTsyU 4n9dGrsuv9nXbNH8MUi5n7a29Lj18aw7yP27Sc/1AJCKN3J1jd+914PuuQrnrm4JlmDWr+WPW2E k7+pWy1Pd55xxSqAB28wZ9TESQYlv/9qbZVLvTSXprjEnhkmvZyu2M3dycvTMBZIgoyoVaDkNnO 0UtpV30CWLUA8vA== X-Developer-Key: i=antonin.godard@bootlin.com; a=openpgp; fpr=8648725188DD401BB9A0D3FFD180414029A3A836 X-Last-TLS-Session-Version: TLSv1.3 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 24 Apr 2026 08:28:59 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/docs/message/9341 And link to the bug in question on Bugzilla. Signed-off-by: Antonin Godard --- documentation/migration-guides/release-notes-6.0.rst | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/documentation/migration-guides/release-notes-6.0.rst b/documentation/migration-guides/release-notes-6.0.rst index a4fd7a169..2ae182c8c 100644 --- a/documentation/migration-guides/release-notes-6.0.rst +++ b/documentation/migration-guides/release-notes-6.0.rst @@ -739,6 +739,10 @@ New Features / Enhancements in |yocto-ver| Known Issues in |yocto-ver| --------------------------- +- A known bug is affecting :term:`build hosts ` that have Intel + Ultra 7 CPUs and breaks :term:`OpenEmbedded-Core (OE-Core)` tests that + involve KVM. See bug :yocto_bug:`16074` for more information. + Recipe License changes in |yocto-ver| ------------------------------------- From patchwork Fri Apr 24 08:28:31 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Antonin Godard X-Patchwork-Id: 86811 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id C98D8FB44D9 for ; Fri, 24 Apr 2026 08:28:59 +0000 (UTC) Received: from smtpout-03.galae.net (smtpout-03.galae.net [185.246.85.4]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.16364.1777019333448984348 for ; Fri, 24 Apr 2026 01:28:54 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@bootlin.com header.s=dkim header.b=KFxh2+dE; spf=pass (domain: bootlin.com, ip: 185.246.85.4, mailfrom: antonin.godard@bootlin.com) Received: from smtpout-01.galae.net (smtpout-01.galae.net [212.83.139.233]) by smtpout-03.galae.net (Postfix) with ESMTPS id DA7504E42AEE for ; Fri, 24 Apr 2026 08:28:51 +0000 (UTC) Received: from mail.galae.net (mail.galae.net [212.83.136.155]) by smtpout-01.galae.net (Postfix) with ESMTPS id B2F26604EB for ; Fri, 24 Apr 2026 08:28:51 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) by localhost (Mailerdaemon) with ESMTPSA id 0CB281072073B; Fri, 24 Apr 2026 10:28:51 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bootlin.com; s=dkim; t=1777019331; h=from:subject:date:message-id:to:cc:mime-version:content-type: content-transfer-encoding:in-reply-to:references; bh=XhJfDWpZ6947nuWyjb+2thjJ1FqUzyHDPGN6xMlOeAc=; b=KFxh2+dEzobmavmjGrjcGruRIkatzveOEJ33Ezd4OSP7tz15iI7P4oQGn2wTP9Va/nmFw8 eqo/we0cwTdhBjRNhW8ge84lRQIGA0OCEGUVFAj+7mX5Kho6sEf5ZVlzCVR110uq/ilSZX P0KYrx8dolnVixeAQ12532xUmh5ci58f9Lj+hR2RJVs0PUTY5ULA9HgQUDUANi9lLwhy+4 F7IQZsk2npO29IIWVIKB2tT7yEUwOBUSwGMjqRYm9WEbbpIlwYSXQJ6k40VuqydrNxS5f3 ZMBtLrcqm24SpjSgXgFOWY4Hruy5AQVNOc+xEDFzK6t6JZSARy4JLjZFnsZtiA== From: Antonin Godard Date: Fri, 24 Apr 2026 10:28:31 +0200 Subject: [PATCH v2 03/18] migration-guides/migration-6.0.rst: document the CVE_PRODUCT behavior change MIME-Version: 1.0 Message-Id: <20260424-third-release-notes-6-0-v2-3-4feacf138e13@bootlin.com> References: <20260424-third-release-notes-6-0-v2-0-4feacf138e13@bootlin.com> In-Reply-To: <20260424-third-release-notes-6-0-v2-0-4feacf138e13@bootlin.com> To: docs@lists.yoctoproject.org Cc: Thomas Petazzoni , Antonin Godard X-Mailer: b4 0.16-dev X-Developer-Signature: v=1; a=openpgp-sha256; l=1513; i=antonin.godard@bootlin.com; h=from:subject:message-id; bh=LUGei2d+AnU25l+rqMfzcK5ecQ42FSFgzlb+kI/qySc=; b=owEBbQKS/ZANAwAKAdGAQUApo6g2AcsmYgBp6ym9wbY9KyRLtIHNxj6lL/x12kMwGHD1EnJvM 0IlYRQ2UY+JAjMEAAEKAB0WIQSGSHJRiN1AG7mg0//RgEFAKaOoNgUCaespvQAKCRDRgEFAKaOo Nj9tEACSnODRqfYkfuINxc1BPO0+E4guW/o0KdHQg/T3koww+7sve1zK5Q86TsIOfxpht65l0bs sahxkdBzZ/SAqLL2BPHBBJ3cz3r+kfCgI2rLDuariHhcskQYYnePJVxEHx7sqqOdGoqrQza+HO5 YUVjm97ify15/uYnss6onM/D/esV/Uz+3+6tEzNqJ9Fwjask0NzmQuCV349tspZodfC8Aw/InN2 ov2wdlOx/M4SBaoP3U6Hrlu23y26rvKMSDb1hDGpv7A8qtjbLG1Qi9Fp0qm0V7uyozGFkpDYC4I RZEuQzA+d5cliQPcn25dHfQZXTkDKWsO+dKbC/24p0ufDseU6XL7Fp3lBCWHiFAqdlutH65Zi+H hnGv6+IDf1GkmsdK6yMNxELaAmszpXHlQZZmrW1P1IbBwyCM9ya5pc5iLjMzmi+870dRNUiNSMc 5lGMHWwdJ073Rd6HshdOizyNYPg3wl5El8hJy0sSc79fccIQYV7OmuqAsb0h/jMwCzevF7W4Tfp BqR4MNhN1pgrE0aosXRdGHKGicjP09zmxNCSUFRwsNyI8aUofmiiLm0m66H0z75r+u8d1uKWsms 7BBtwLbHSP1p9vxEBLY2+GzExo6McUbFqMXL/+HpDkDitn8LPTU4f8ZzdbpCO7F+yK46DL6oUKr mRxpBiV4WdNf8uw== X-Developer-Key: i=antonin.godard@bootlin.com; a=openpgp; fpr=8648725188DD401BB9A0D3FFD180414029A3A836 X-Last-TLS-Session-Version: TLSv1.3 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 24 Apr 2026 08:28:59 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/docs/message/9340 After 9dd9c0038907 ("cve_check: Escape special characters in CPE 2.3 strings") and 3c73dafd03b1 ("cve_check: Improve escaping of special characters in CPE 2.3") in OE-Core. Signed-off-by: Antonin Godard --- documentation/migration-guides/migration-6.0.rst | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/documentation/migration-guides/migration-6.0.rst b/documentation/migration-guides/migration-6.0.rst index 42c688a89..d763062da 100644 --- a/documentation/migration-guides/migration-6.0.rst +++ b/documentation/migration-guides/migration-6.0.rst @@ -291,6 +291,20 @@ information. Users are advised to transition to SDPX 3.0, which is provided by the :ref:`ref-classes-create-spdx` class. +:term:`CVE_PRODUCT` character escaping change +--------------------------------------------- + +The :term:`CVE_PRODUCT` variable, which specifies a name used to match the +recipe name against the name in the upstream `NIST CVE database +`__, used to require special characters to be escaped. + +This is no longer, the case. For example, the :term:`CVE_PRODUCT` variable for +the ``webkitgtk`` recipe must no longer be written as ``webkitgtk\+`` but +``webkitgtk+``. + +Users are advised to review their :term:`CVE_PRODUCT` assignments and remove any +special character escaping. + .. _ref-migration-6-0-wic-sector-size-change: :term:`WIC_SECTOR_SIZE` should be replaced by ``--sector-size`` From patchwork Fri Apr 24 08:28:32 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Antonin Godard X-Patchwork-Id: 86812 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id E425AF589DF for ; Fri, 24 Apr 2026 08:28:59 +0000 (UTC) Received: from smtpout-03.galae.net (smtpout-03.galae.net [185.246.85.4]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.16687.1777019334189870723 for ; Fri, 24 Apr 2026 01:28:54 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@bootlin.com header.s=dkim header.b=Qd6I/asU; spf=pass (domain: bootlin.com, ip: 185.246.85.4, mailfrom: antonin.godard@bootlin.com) Received: from smtpout-01.galae.net (smtpout-01.galae.net [212.83.139.233]) by smtpout-03.galae.net (Postfix) with ESMTPS id 918244E42AEF for ; Fri, 24 Apr 2026 08:28:52 +0000 (UTC) Received: from mail.galae.net (mail.galae.net [212.83.136.155]) by smtpout-01.galae.net (Postfix) with ESMTPS id 69B8D604EB for ; Fri, 24 Apr 2026 08:28:52 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) by localhost (Mailerdaemon) with ESMTPSA id A3F3B1072073A; Fri, 24 Apr 2026 10:28:51 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bootlin.com; s=dkim; t=1777019332; h=from:subject:date:message-id:to:cc:mime-version:content-type: content-transfer-encoding:in-reply-to:references; bh=GrFnkmPiMXKT5Iqq6Sj7WlyM6GjVgub/R3zTTRUR6XY=; b=Qd6I/asUhO4cY4OX9ffNbTm2HA22KHzNUGccnNxwv5BNfR3A+D8fLcQcog7zwOLbH15TSO LTbal0egDdmLAKmIY2ogv74gqptAJh3CHuHCLxyjBehSjaCBxx8HWL+2kfdypMiNQuCVi7 hULXmdI/lvMEkPM29M5Ipf1iHkKf7zxo+C6yWSV7G+GCYy1Tjf5a4HpyZYGxStM50HPWMA vzkRQRSIWp4hxem+RaNkR/ByrP8gVoUF7LQSfd3EJD4iWXOp8JJQPSCTXsCn8sVgJWwM/D 0dhynjS3XZHoaFrZujVphIDgDHI+9Pb3XK3sS3jyPHoRACFZYSaV1CILRepEdw== From: Antonin Godard Date: Fri, 24 Apr 2026 10:28:32 +0200 Subject: [PATCH v2 04/18] tools/build-docs-container: add missing leap 16.0 in help message MIME-Version: 1.0 Message-Id: <20260424-third-release-notes-6-0-v2-4-4feacf138e13@bootlin.com> References: <20260424-third-release-notes-6-0-v2-0-4feacf138e13@bootlin.com> In-Reply-To: <20260424-third-release-notes-6-0-v2-0-4feacf138e13@bootlin.com> To: docs@lists.yoctoproject.org Cc: Thomas Petazzoni , Antonin Godard X-Mailer: b4 0.16-dev X-Developer-Signature: v=1; a=openpgp-sha256; l=683; i=antonin.godard@bootlin.com; h=from:subject:message-id; bh=kA/9oXiW7LYw5X/o8i6uFStxCPrTuoa2PdGsdRUl/3M=; b=owEBbQKS/ZANAwAKAdGAQUApo6g2AcsmYgBp6ym9Y18Braqjx1AVgStBXIA46Ol8lq+0xSq/O b+RT/0bhmmJAjMEAAEKAB0WIQSGSHJRiN1AG7mg0//RgEFAKaOoNgUCaespvQAKCRDRgEFAKaOo Npi9D/9pEyY6AmbNDZggWy11RwuQqPuqP0KZv8blAz/LtulfWx+6mPPgG6kRI6zhDOeSjUjnlF9 6uVdJghzGGkf/vK7jXDjuRnKgXWukjYAIqJSl98U4WaMppJTmYNd3kGc/GmtuPsEowArUXIlRM/ olAB7TQ6ncNlw9XxCDDmwK4KnAXfZD1lpVGBzAD7lijf3MdEEqrCZyPakLc2NG7jOOOKWOmZuZC /gubB7POH1wlG8pn1YVSEJFFwuF/CEgk0C1iiX/+T9/vUJ7Vj4/579g+5sPisJVjwNMbwgtNzYO zPvfCROaqyd/YJLd1Ud5atqXqO4rrWvQIJzgUj8c220j2ORmp2A0aa4a++m79HNJRry78ua+D7d 2CnZoIlA214VJFw2f0gXtoUGUw+tpN5AWneurKKilUsNkeqL+LsW1+fLxh1AXKiXccrLIARhw4h qgYGn1PyIqG+pNs89PTgXN7WdJnickWppMfD9oTRuNiwj5o32xkFQLEtTEXcw+7VPQwVl4+SaiQ 9RfYLLD9IdhmHyuZuJT7TAVAGmZUe2hUvs+8R9QzRRJGGsf/pDrcPHRwb3GvZahIqVBOYTFSbEQ lXzihhZYknTcXvPDt+UM4ea84HuUfdZNiFumBH2MgkWP+hoh6zisO/uTgQPXcZ15+PlkFRTHZt9 jMWaP+0wxo14t/w== X-Developer-Key: i=antonin.godard@bootlin.com; a=openpgp; fpr=8648725188DD401BB9A0D3FFD180414029A3A836 X-Last-TLS-Session-Version: TLSv1.3 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 24 Apr 2026 08:28:59 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/docs/message/9342 Fixes: e5880b36dfc6 ("ref-manual/system-requirements.rst: add section for openSUSE Leap 16.0") Signed-off-by: Antonin Godard --- documentation/tools/build-docs-container | 1 + 1 file changed, 1 insertion(+) diff --git a/documentation/tools/build-docs-container b/documentation/tools/build-docs-container index a540e81ec..ab8314901 100755 --- a/documentation/tools/build-docs-container +++ b/documentation/tools/build-docs-container @@ -41,6 +41,7 @@ $0 OCI_IMAGE [make arguments...] - fedora:42 - fedora:43 - leap:15.6 + - leap:16.0 - rockylinux:8 - rockylinux:9 - ubuntu:22.04 From patchwork Fri Apr 24 08:28:33 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Antonin Godard X-Patchwork-Id: 86806 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9F908FB44D6 for ; Fri, 24 Apr 2026 08:28:59 +0000 (UTC) Received: from smtpout-03.galae.net (smtpout-03.galae.net [185.246.85.4]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.16688.1777019335624753231 for ; Fri, 24 Apr 2026 01:28:55 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@bootlin.com header.s=dkim header.b=u09XjIAp; spf=pass (domain: bootlin.com, ip: 185.246.85.4, mailfrom: antonin.godard@bootlin.com) Received: from smtpout-01.galae.net (smtpout-01.galae.net [212.83.139.233]) by smtpout-03.galae.net (Postfix) with ESMTPS id 22FF64E42AF0 for ; Fri, 24 Apr 2026 08:28:53 +0000 (UTC) Received: from mail.galae.net (mail.galae.net [212.83.136.155]) by smtpout-01.galae.net (Postfix) with ESMTPS id E898D604EB for ; Fri, 24 Apr 2026 08:28:52 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) by localhost (Mailerdaemon) with ESMTPSA id 4DCDB10720728; Fri, 24 Apr 2026 10:28:52 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bootlin.com; s=dkim; t=1777019332; h=from:subject:date:message-id:to:cc:mime-version:content-type: content-transfer-encoding:in-reply-to:references; bh=MWTq4hvcJGtMWj3y91cLsWXwvqTRJg/B9aP6KKKw9/s=; b=u09XjIAposyarbDIOPodt0jOalmoae6GEnUglbQTMaay24Q91WCR5hC90iDG74wKk8OYyv g7WX5qq2YMtNFcZdRIH1IPPrvzvLAh3SJfEwfOuTp/eLzCemJgQXFkPOlGIE+Y+n7kDbEm sLyrdE0YIuwz9e8P2RSbcpzoJNTT5LrsqWgE/vbIJ3++pmMsKE1W4XpZBh+YQHTqCczCvO IHqqdWUJw95aQoGpP9aescz7X2BN5LLHgbPWnXMed01l1HG88449GcVEMeF2ELISTv3C2r gJ9XWCefzJdUe29yGIFGYRG1VAbzmGMPjUm3hTDHOdxjaaaGhLQa1g8TszIxbg== From: Antonin Godard Date: Fri, 24 Apr 2026 10:28:33 +0200 Subject: [PATCH v2 05/18] tools/build-docs-container: add CentOS 10 support MIME-Version: 1.0 Message-Id: <20260424-third-release-notes-6-0-v2-5-4feacf138e13@bootlin.com> References: <20260424-third-release-notes-6-0-v2-0-4feacf138e13@bootlin.com> In-Reply-To: <20260424-third-release-notes-6-0-v2-0-4feacf138e13@bootlin.com> To: docs@lists.yoctoproject.org Cc: Thomas Petazzoni , Antonin Godard X-Mailer: b4 0.16-dev X-Developer-Signature: v=1; a=openpgp-sha256; l=1033; i=antonin.godard@bootlin.com; h=from:subject:message-id; bh=/8EvO30rwwguCJ0XPHXvdnKjSGV1Ho7Um0yxc/+0iOc=; b=owEBbQKS/ZANAwAKAdGAQUApo6g2AcsmYgBp6ym9V4pV75OiJ/QPmlCgG68B9jlyrD8DYo+IM ByIJGTeUa+JAjMEAAEKAB0WIQSGSHJRiN1AG7mg0//RgEFAKaOoNgUCaespvQAKCRDRgEFAKaOo NsUZEACUmkmgNxMUjWQtSjN5d6YDIYpqcn6ZJ5+4DUg6svl/J9Ffis1DhegxwiItnYyGbg3G9jv Z3F/hjysmspQxxd1hCRNJy3fhzGltjx/qD0aAppqDV2GmDfajBkFtwU3AOLjqOTT5Hpm/lvj1H6 1SCb223BFnDnMdWLb/UTtP3pA19hhZMnc/I5Rq9laZWFBVMBHjKjZTOZF/+w8yehvA0yaibEVYW 5pRdi8aH6aCGD/kEXa+hWW89kbQ5aTkmcJyOQiJwTXk1EgY0nzBQ1AZ3UKX8jO+T6ucfpnB5Xjr vA8AKvJJOad2J1jEZAJAryaBVHpvMkIo4BYx2XQeGV/07+xkkqSOMej6lHkTDOewwMljjpjMejD jY2ozGni8P9+BtgGm7mTUPBv6ks7RyCY/1NYzz20SngP7+LdDsZMeJWxgX3UwAgd98rnX+BFkP5 mTWJwe+bpR3VvMSzGZjyydyEJXUJieXXbOiaszfzcys/oPNOnSWC9OMAhZicHtLLT/NcGc6Avbc jsuc7sv2s3OHz77VnBTUUeLjSwJW2XwOqt7C5exLgPFNgQarLassd7aSVXyrPafme9K4OIRMInN JnjOX3ZGxncO4wtWKOeVUAvA2DvypKGocVNFEcnn9fJfiFUqthtCvldNNmanZrfvUh1JIHoJlO3 eMrqfhkyESgcoow== X-Developer-Key: i=antonin.godard@bootlin.com; a=openpgp; fpr=8648725188DD401BB9A0D3FFD180414029A3A836 X-Last-TLS-Session-Version: TLSv1.3 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 24 Apr 2026 08:28:59 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/docs/message/9343 No issue building the documentation, and including the packages from the essential list (INCLUDE_ESSENTIAL_PACKAGES=1). Signed-off-by: Antonin Godard --- documentation/tools/build-docs-container | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/documentation/tools/build-docs-container b/documentation/tools/build-docs-container index ab8314901..37d3d2bb6 100755 --- a/documentation/tools/build-docs-container +++ b/documentation/tools/build-docs-container @@ -36,6 +36,7 @@ $0 OCI_IMAGE [make arguments...] - almalinux:8 - almalinux:9 - centos:stream9 + - centos:stream10 - debian:12 - debian:13 - fedora:42 @@ -98,7 +99,8 @@ main () docs_pdf=tlmgr_docs_pdf.sh pip3=pip3_docs.sh ;; - "centos:stream9"*) + "centos:stream9"*|\ + "centos:stream10"*) containerfile=Containerfile.stream essential=centosstream_essential.sh docs=centosstream_docs.sh From patchwork Fri Apr 24 08:28:34 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Antonin Godard X-Patchwork-Id: 86808 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 6CB68FB44D3 for ; Fri, 24 Apr 2026 08:28:59 +0000 (UTC) Received: from smtpout-03.galae.net (smtpout-03.galae.net [185.246.85.4]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.16366.1777019335703235534 for ; Fri, 24 Apr 2026 01:28:56 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@bootlin.com header.s=dkim header.b=WGQbU4ak; spf=pass (domain: bootlin.com, ip: 185.246.85.4, mailfrom: antonin.godard@bootlin.com) Received: from smtpout-01.galae.net (smtpout-01.galae.net [212.83.139.233]) by smtpout-03.galae.net (Postfix) with ESMTPS id 2A3F54E42AE6 for ; Fri, 24 Apr 2026 08:28:54 +0000 (UTC) Received: from mail.galae.net (mail.galae.net [212.83.136.155]) by smtpout-01.galae.net (Postfix) with ESMTPS id 03340604EB for ; Fri, 24 Apr 2026 08:28:54 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) by localhost (Mailerdaemon) with ESMTPSA id CA9DA10720735; Fri, 24 Apr 2026 10:28:52 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bootlin.com; s=dkim; t=1777019333; h=from:subject:date:message-id:to:cc:mime-version:content-type: content-transfer-encoding:in-reply-to:references; bh=nC6C3wegqbJ6zb1eTT6QjibjNWplsACmhCot8Skbvds=; b=WGQbU4ak4WJZEk6yU6WE25j0JKzgsZcyNf74xD9cJ8Kc/9T0JggTN4aDarVNaX/DSx6Sil I7SLvIyEk0waWlFfQrcl06M1y8bLF+v2Yuu8HVmTDnvQftBdK8EPkJ9x2LPSpaPZW+q+i3 qxcNndCIM0OvG17qi+QqMhNlx3uiQB0rjx1rAbcBEXJBAHs+7GYHixmTE3BCrFbgFFP6O0 QoK/jpaFeNr86Js54Skc1S/C58/hksWcXudrplhSBYfGOqhXt2v6Qzb1O+9s29E1g39gXt xYRnwVc8ND9QQOso3+lkJL3w7rawix4nHjetn7GEn/McErcYpHw5BeKvOTwdwQ== From: Antonin Godard Date: Fri, 24 Apr 2026 10:28:34 +0200 Subject: [PATCH v2 06/18] ref-manual/system-requirements.rst: add CentOS 10 as a supported distro MIME-Version: 1.0 Message-Id: <20260424-third-release-notes-6-0-v2-6-4feacf138e13@bootlin.com> References: <20260424-third-release-notes-6-0-v2-0-4feacf138e13@bootlin.com> In-Reply-To: <20260424-third-release-notes-6-0-v2-0-4feacf138e13@bootlin.com> To: docs@lists.yoctoproject.org Cc: Thomas Petazzoni , Antonin Godard X-Mailer: b4 0.16-dev X-Developer-Signature: v=1; a=openpgp-sha256; l=684; i=antonin.godard@bootlin.com; h=from:subject:message-id; bh=Kat+2VyDK29np8t9Rb48cNVVFDRWfQ1blj20m8pZ1Qw=; b=owEBbQKS/ZANAwAKAdGAQUApo6g2AcsmYgBp6ym+W1uFKrLiB2ZyPvXVQHH4jA6mOs59MMw3h 4M8+bQNaHeJAjMEAAEKAB0WIQSGSHJRiN1AG7mg0//RgEFAKaOoNgUCaespvgAKCRDRgEFAKaOo NhwCD/sF7Go0FAoCgItxfWyscz9IKisGbadHQAsJ+ZFxLqIxKgNSTNnihmlyJvpMqJ9/yU9/S0h cN4+kcYx8UsUEw+XwIpcG0fO7dAxAbqXN/0MpZqnYCNbi6ExH2j9MVEU6xohaBMD3J8qjZmEjmb 5ho9OXhtH+215gQ4hMRO8hNCF5rIlWbLjS41ar34Gkv/cHsC6licPdcVEKKDZW5PU3nl4yamDgG 1rsMFeR8a5yPmyrEGVcPbe7XWJ1kj/3Wi5TK9f7w8mhguoSsXOf/wSyY8qCUfvCDpC0qEpQdmuT bPPmHDmThodotu/dglwQQzLKzyBrqajiga6wYJiAgaEZCigG94mF1Pjo/mI6hDouJJRmeDAP8fz qJgE/yO0TPohDIS1WKXXQ/GAE5lSh+Ggs5ebxOA9JhIHB1aD8xlBSstLW/SrRYp6nGTGiYpIgAh S2cKHfF/8lPgeb41zeHvn65oCQw69NO3PAxXzpPYwIoMTtOj6ULDUM8jsNVEofI8Z7F6ptYOQiR t8l7ciSxJOYbeQQVKD3KRwAs1RmVtp2R23jisucnVQIY0FkfCF4MAmfXSmGBZ0mrIq9Dp918QhG WZM/h8+PbT1enxpq+GSxgAkMyY8QhYdfzY5fUFWSs9PBYecgA1mmkDcXSXLHvAe3Mg9SxIL8QhR sgmL9qTzdq7tVuQ== X-Developer-Key: i=antonin.godard@bootlin.com; a=openpgp; fpr=8648725188DD401BB9A0D3FFD180414029A3A836 X-Last-TLS-Session-Version: TLSv1.3 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 24 Apr 2026 08:28:59 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/docs/message/9344 The current list of packages for CentOS 9 applies for CentOS 10. Signed-off-by: Antonin Godard --- documentation/ref-manual/system-requirements.rst | 1 + 1 file changed, 1 insertion(+) diff --git a/documentation/ref-manual/system-requirements.rst b/documentation/ref-manual/system-requirements.rst index 05c852043..5171ca6ba 100644 --- a/documentation/ref-manual/system-requirements.rst +++ b/documentation/ref-manual/system-requirements.rst @@ -65,6 +65,7 @@ supported on the following distributions: - AlmaLinux 8 - AlmaLinux 9 - CentOS Stream 9 +- CentOS Stream 10 - Debian 11 - Debian 12 - Debian 13 From patchwork Fri Apr 24 08:28:35 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Antonin Godard X-Patchwork-Id: 86809 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 6CD83FB44D4 for ; Fri, 24 Apr 2026 08:28:59 +0000 (UTC) Received: from smtpout-03.galae.net (smtpout-03.galae.net [185.246.85.4]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.16689.1777019336463915404 for ; Fri, 24 Apr 2026 01:28:56 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@bootlin.com header.s=dkim header.b=TmgQl+8S; spf=pass (domain: bootlin.com, ip: 185.246.85.4, mailfrom: antonin.godard@bootlin.com) Received: from smtpout-01.galae.net (smtpout-01.galae.net [212.83.139.233]) by smtpout-03.galae.net (Postfix) with ESMTPS id D403A4E42AE9 for ; Fri, 24 Apr 2026 08:28:54 +0000 (UTC) Received: from mail.galae.net (mail.galae.net [212.83.136.155]) by smtpout-01.galae.net (Postfix) with ESMTPS id AB1F9604EB for ; Fri, 24 Apr 2026 08:28:54 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) by localhost (Mailerdaemon) with ESMTPSA id CE2CD1072073C; Fri, 24 Apr 2026 10:28:53 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bootlin.com; s=dkim; t=1777019334; h=from:subject:date:message-id:to:cc:mime-version:content-type: content-transfer-encoding:in-reply-to:references; bh=i8D+u+sgbjanTqf59uJEH1qcp5/GG2BaPpi3OKmBVYY=; b=TmgQl+8SI9EmqIR2TplKwgK5ZDLmX9A5EAtOTgUqG0qQ0bGm7RyimY1P8/4sjKSBApLzmv Lx9g+2DZS5NgVoowameDiTDXSX7vodtmY4m6dLDXxQ0hLalVLBJLsBlel/M+8oLLcInJzw z/LLB00vECj9EFNNRhKplRWRx0mAPPd0jOUVadJKl6MsV18ZQl6L9jbTcCG5MXw3iSMqba 8vkfFYa4/8E6KmEJ+g3vZ6AlIglTxInq132Agavx6OtO3vxcIenelBxw0IWIqR4D8l0WzW 1dfOX3HfCiU72zdD/mK0Tuw0QgbBlizf+scqFvHNzG1CpAVDxHIhvCt49+Xf9Q== From: Antonin Godard Date: Fri, 24 Apr 2026 10:28:35 +0200 Subject: [PATCH v2 07/18] docs-wide: drop documentation for cve-check and variables MIME-Version: 1.0 Message-Id: <20260424-third-release-notes-6-0-v2-7-4feacf138e13@bootlin.com> References: <20260424-third-release-notes-6-0-v2-0-4feacf138e13@bootlin.com> In-Reply-To: <20260424-third-release-notes-6-0-v2-0-4feacf138e13@bootlin.com> To: docs@lists.yoctoproject.org Cc: Thomas Petazzoni , Antonin Godard X-Mailer: b4 0.16-dev X-Developer-Signature: v=1; a=openpgp-sha256; l=30000; i=antonin.godard@bootlin.com; h=from:subject:message-id; bh=1SMgdHljK07tjbRDv3E8vhhIEf8Kg0M0GwoqTPbyyx8=; b=owEBbQKS/ZANAwAKAdGAQUApo6g2AcsmYgBp6ym+NbCVCHcrudG36GWEStOMW4U+uT7FbkbU7 VURkXCfXTWJAjMEAAEKAB0WIQSGSHJRiN1AG7mg0//RgEFAKaOoNgUCaespvgAKCRDRgEFAKaOo Ng/aD/9tHFD/YnMqcWbjHbY+g9IBpjr7QRBtfCOkft6oxzPp3R0Qxp9DIeXxh9um+jJ++oLf51x 6L3KHPu+YrGI6jw1tGiq7gnwUVUqWroHxDd73suny1dhDU43sHuvoDdfCSrdTd7XLYVXaJb2k8g mqji7c8sd5O5MtNxMfiPtikKWFo4rDEUInDGfxxs4jKUE92DS+Q5YtZI1mRdj+R5GvM7iJdlMg1 +js8jnDzWcJ5edLtGwnoG5Y2ucTlNl6pFmB21cMaVnxk0Dj/KPUxNoKZeTh4Fsc7PhhsEQdj79i nmGZiNmGq59/tCXXU4s/c+/kiQwerIU3BL+GKPsF6NO5Viuw3kT9YDdhI1Fx/ojaBcZ23AIsIJU zAymfpLGFK5jz2+Ceca234w/qYVy0J6ZPbwDbN29V9Nt7zvEZpL+sQ++r73cmslBkFz3GRabwe1 0MFT+3dfLgUNKQHOKUpdMRnjfu+DUaPYA/zc8p+UukxAetlOSv2GhEsicQet35aGPeId86TBH7p FkNDJfcZ/HHHC40Qbt37EhfbPdT1xQ7S8c2aMnOUXr3wWpkAcf0kpPA6F05+BIFL375/h2lhoV/ B16hvAil1Ts9vpwAdgZsu6/RtqAL11tmLL5V9OkyTF6T1G/VSzqyKDSKVJtxP0HRBmgpvryYDZc JaM0PNvABO7Iexw== X-Developer-Key: i=antonin.godard@bootlin.com; a=openpgp; fpr=8648725188DD401BB9A0D3FFD180414029A3A836 X-Last-TLS-Session-Version: TLSv1.3 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 24 Apr 2026 08:28:59 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/docs/message/9345 Drop the cve-check class documentation and all variable strictly tied to the class. The vex class is still there and uses the same namespace to name its variables, so keep the variables that are still used in the vex class. The current vulnerabilities document is out-of-date, but references to cve-check are still removed there for bisectability, and is rewritten in the next commits. Signed-off-by: Antonin Godard --- documentation/migration-guides/migration-3.0.rst | 4 +- documentation/migration-guides/migration-5.0.rst | 2 +- .../migration-guides/release-notes-4.0.23.rst | 2 +- .../migration-guides/release-notes-4.1.1.rst | 4 +- .../migration-guides/release-notes-4.1.rst | 4 +- .../migration-guides/release-notes-5.0.5.rst | 2 +- .../migration-guides/release-notes-5.0.rst | 4 +- .../migration-guides/release-notes-5.1.3.rst | 2 +- .../migration-guides/release-notes-5.1.rst | 8 +-- .../migration-guides/release-notes-5.2.rst | 24 +++---- .../migration-guides/release-notes-5.3.rst | 2 +- .../migration-guides/release-notes-6.0.rst | 2 +- documentation/ref-manual/classes.rst | 78 +--------------------- documentation/ref-manual/variables.rst | 77 +++------------------ documentation/security-manual/vulnerabilities.rst | 12 ++-- 15 files changed, 47 insertions(+), 180 deletions(-) diff --git a/documentation/migration-guides/migration-3.0.rst b/documentation/migration-guides/migration-3.0.rst index 67fcac41f..f5201dcac 100644 --- a/documentation/migration-guides/migration-3.0.rst +++ b/documentation/migration-guides/migration-3.0.rst @@ -49,7 +49,7 @@ The following recipes have been removed. - ``core-image-lsb-sdk``: Part of removed LSB support. - ``cve-check-tool``: Functionally replaced by the ``cve-update-db`` - recipe and :ref:`ref-classes-cve-check` class. + recipe and ``cve-check`` class. - ``eglinfo``: No longer maintained. ``eglinfo`` from ``mesa-demos`` is an adequate and maintained alternative. @@ -144,7 +144,7 @@ CVE Checking ------------ ``cve-check-tool`` has been functionally replaced by a new -``cve-update-db`` recipe and functionality built into the :ref:`ref-classes-cve-check` +``cve-update-db`` recipe and functionality built into the ``cve-check`` class. The result uses NVD JSON data feeds rather than the deprecated XML feeds that ``cve-check-tool`` was using, supports CVSSv3 scoring, and makes other improvements. diff --git a/documentation/migration-guides/migration-5.0.rst b/documentation/migration-guides/migration-5.0.rst index cf413300c..a0d0cc2df 100644 --- a/documentation/migration-guides/migration-5.0.rst +++ b/documentation/migration-guides/migration-5.0.rst @@ -186,7 +186,7 @@ Miscellaneous changes - ``recipetool`` now prefixes the names of recipes created for Python modules with ``python3-``. -- The :ref:`ref-classes-cve-check` class no longer produces a warning for +- The ``cve-check`` class no longer produces a warning for remote patches --- it only logs a note and does not try to fetch the patch in order to scan it for issues or CVE numbers. However, CVE number references in remote patch file names will now be picked up. diff --git a/documentation/migration-guides/release-notes-4.0.23.rst b/documentation/migration-guides/release-notes-4.0.23.rst index abf7c6975..271a6340f 100644 --- a/documentation/migration-guides/release-notes-4.0.23.rst +++ b/documentation/migration-guides/release-notes-4.0.23.rst @@ -80,7 +80,7 @@ Fixes in Yocto-4.0.23 - ref-manual: add missing :term:`OPKGBUILDCMD` variable - ref-manual: devtool-reference: document missing commands - ref-manual: devtool-reference: refresh example outputs -- ref-manual: introduce :term:`CVE_CHECK_REPORT_PATCHED` variable +- ref-manual: introduce ``CVE_CHECK_REPORT_PATCHED`` variable - ref-manual: release-process: add a reference to the doc's release - ref-manual: release-process: refresh the current LTS releases - ref-manual: release-process: update releases.svg diff --git a/documentation/migration-guides/release-notes-4.1.1.rst b/documentation/migration-guides/release-notes-4.1.1.rst index 8393bc532..23ea4727c 100644 --- a/documentation/migration-guides/release-notes-4.1.1.rst +++ b/documentation/migration-guides/release-notes-4.1.1.rst @@ -131,8 +131,8 @@ Fixes in Yocto-4.1.1 - ref-manual/faq.rst: update references to products built with OE / Yocto Project - ref-manual/variables.rst: clarify sentence - ref-manual: add a note to ssh-server-dropbear feature -- ref-manual: add :term:`CVE_CHECK_SHOW_WARNINGS` -- ref-manual: add :term:`CVE_DB_UPDATE_INTERVAL` +- ref-manual: add ``CVE_CHECK_SHOW_WARNINGS`` +- ref-manual: add ``CVE_DB_UPDATE_INTERVAL`` - ref-manual: add :term:`DEV_PKG_DEPENDENCY` - ref-manual: add :term:`DISABLE_STATIC` - ref-manual: add :term:`FIT_PAD_ALG` diff --git a/documentation/migration-guides/release-notes-4.1.rst b/documentation/migration-guides/release-notes-4.1.rst index 3ad3611b8..81d541fac 100644 --- a/documentation/migration-guides/release-notes-4.1.rst +++ b/documentation/migration-guides/release-notes-4.1.rst @@ -47,11 +47,11 @@ New Features / Enhancements in 4.1 - CVE checking enhancements: - - New :term:`CVE_DB_UPDATE_INTERVAL` variable to allow specifying the CVE database minimum update interval (and default to once per day) + - New ``CVE_DB_UPDATE_INTERVAL`` variable to allow specifying the CVE database minimum update interval (and default to once per day) - Added JSON format to summary output - Added support for Ignored CVEs - Enable recursive CVE checking also for ``do_populate_sdk`` - - New :term:`CVE_CHECK_SHOW_WARNINGS` variable to disable unpatched CVE warning messages + - New ``CVE_CHECK_SHOW_WARNINGS`` variable to disable unpatched CVE warning messages - The :ref:`ref-classes-pypi` class now defaults :term:`CVE_PRODUCT` from :term:`PYPI_PACKAGE` - Added current kernel CVEs to ignore list since we stay as close to the kernel stable releases as we can - Optimisations to avoid dependencies on fetching diff --git a/documentation/migration-guides/release-notes-5.0.5.rst b/documentation/migration-guides/release-notes-5.0.5.rst index c8cf9a85d..7aadaeae4 100644 --- a/documentation/migration-guides/release-notes-5.0.5.rst +++ b/documentation/migration-guides/release-notes-5.0.5.rst @@ -83,7 +83,7 @@ Fixes in Yocto-5.0.5 - ref-manual: devtool-reference: document missing commands - ref-manual: devtool-reference: refresh example outputs - ref-manual: faq: add q&a on class appends -- ref-manual: introduce :term:`CVE_CHECK_REPORT_PATCHED` variable +- ref-manual: introduce ``CVE_CHECK_REPORT_PATCHED`` variable - ref-manual: merge patch-status-* to patch-status - ref-manual: release-process: add a reference to the doc's release - ref-manual: release-process: refresh the current LTS releases diff --git a/documentation/migration-guides/release-notes-5.0.rst b/documentation/migration-guides/release-notes-5.0.rst index de11bd174..31b1d3da7 100644 --- a/documentation/migration-guides/release-notes-5.0.rst +++ b/documentation/migration-guides/release-notes-5.0.rst @@ -10,7 +10,7 @@ New Features / Enhancements in 5.0 - New variables: - - :term:`CVE_DB_INCR_UPDATE_AGE_THRES`: Configure the maximum age of the + - ``CVE_DB_INCR_UPDATE_AGE_THRES``: Configure the maximum age of the internal CVE database for incremental update (instead of a full redownload). @@ -277,7 +277,7 @@ New Features / Enhancements in 5.0 - Improve incremental CVE database download from NVD. Rejected CVEs are removed, configuration is kept up-to-date. The age threshold for - incremental update can be configured with :term:`CVE_DB_INCR_UPDATE_AGE_THRES` + incremental update can be configured with ``CVE_DB_INCR_UPDATE_AGE_THRES`` variable. - Toaster Web UI improvements: diff --git a/documentation/migration-guides/release-notes-5.1.3.rst b/documentation/migration-guides/release-notes-5.1.3.rst index 641cb8d50..13cf48bae 100644 --- a/documentation/migration-guides/release-notes-5.1.3.rst +++ b/documentation/migration-guides/release-notes-5.1.3.rst @@ -40,7 +40,7 @@ Fixes in Yocto-5.1.3 - cmake: apply parallel build settings to ptest tasks - contributor-guide/submit-changes: add policy on AI generated code - cve-check: fix cvesInRecord -- cve-check: restore :term:`CVE_CHECK_SHOW_WARNINGS` functionality +- cve-check: restore ``CVE_CHECK_SHOW_WARNINGS`` functionality - dev-manual/building: document the initramfs-framework recipe - devtool: ide-sdk recommend :term:`DEBUG_BUILD` - devtool: ide-sdk remove the plugin from eSDK installer diff --git a/documentation/migration-guides/release-notes-5.1.rst b/documentation/migration-guides/release-notes-5.1.rst index bab0c1458..2f049690a 100644 --- a/documentation/migration-guides/release-notes-5.1.rst +++ b/documentation/migration-guides/release-notes-5.1.rst @@ -11,7 +11,7 @@ New Features / Enhancements in 5.1 - New variables: - - :term:`CVE_CHECK_MANIFEST_JSON_SUFFIX`: suffix for the CVE JSON manifest file. + - ``CVE_CHECK_MANIFEST_JSON_SUFFIX``: suffix for the CVE JSON manifest file. - :term:`PRSERV_UPSTREAM`: Upstream PR service (``host:port``) for the local PR server to connect to. @@ -235,12 +235,12 @@ New Features / Enhancements in 5.1 - Fetch release tarballs instead of git checkouts to reduce disk usage. -- :ref:`ref-classes-cve-check` changes: +- ``cve-check`` changes: - - The class :ref:`ref-classes-cve-check` now uses a local copy of the NVD + - The class ``cve-check`` now uses a local copy of the NVD database during builds. - - New statuses can be reported by :ref:`ref-classes-cve-check`: + - New statuses can be reported by ``cve-check``: - ``fix-file-included``: when a fix file has been included (set automatically) - ``version-not-in-range``: version number NOT in the vulnerable range (set automatically) diff --git a/documentation/migration-guides/release-notes-5.2.rst b/documentation/migration-guides/release-notes-5.2.rst index 5fc426c05..b5483c903 100644 --- a/documentation/migration-guides/release-notes-5.2.rst +++ b/documentation/migration-guides/release-notes-5.2.rst @@ -35,8 +35,8 @@ New Features / Enhancements in |yocto-ver| install tags (``--tags``) to the ``meson install`` command during the :ref:`ref-tasks-install` task. - - :ref:`ref-classes-cve-check`: :term:`NVD_DB_VERSION` to allow choosing the - CVE feed when using the :ref:`ref-classes-cve-check` class. + - ``cve-check``: ``NVD_DB_VERSION`` to allow choosing the + CVE feed when using the ``cve-check`` class. - The :term:`BB_USE_HOME_NPMRC` controls whether or not BitBake uses the user's ``.npmrc`` file within their home directory within the npm fetcher. @@ -479,7 +479,7 @@ New Features / Enhancements in |yocto-ver| - ``openssh``: be more restrictive on private key file permissions by setting them from the :ref:`ref-tasks-install` task. -- :ref:`ref-classes-cve-check` changes: +- ``cve-check`` changes: - Update the :term:`DL_DIR` database location name (``${DL_DIR}/CVE_CHECK2``). @@ -490,15 +490,15 @@ New Features / Enhancements in |yocto-ver| - Fix malformed cve status description with ``:`` characters. - - Restore the :term:`CVE_CHECK_SHOW_WARNINGS` variable and functionality. It + - Restore the ``CVE_CHECK_SHOW_WARNINGS`` variable and functionality. It currently prints warning message for every unpatched CVE the - :ref:`ref-classes-cve-check` class finds. + ``cve-check`` class finds. - - Users can control the NVD database source using the :term:`NVD_DB_VERSION` + - Users can control the NVD database source using the ``NVD_DB_VERSION`` variable with possible values ``NVD1``, ``NVD2``, or ``FKIE``. - The default feed for CVEs is now ``FKIE`` instead of ``NVD2`` (see - :term:`NVD_DB_VERSION` for more information). + ``NVD_DB_VERSION`` for more information). - New :term:`PACKAGECONFIG` options for individual recipes: @@ -621,8 +621,8 @@ New Features / Enhancements in |yocto-ver| - ``cve-update-nvd2-native``: updating the database will now result in an error if :term:`BB_NO_NETWORK` is enabled and - :term:`CVE_DB_UPDATE_INTERVAL` is not set to ``-1``. Users can control the - NVD database source using the :term:`NVD_DB_VERSION` variable with + ``CVE_DB_UPDATE_INTERVAL`` is not set to ``-1``. Users can control the + NVD database source using the ``NVD_DB_VERSION`` variable with possible values ``NVD1``, ``NVD2``, or ``FKIE``. - ``systemtap``: add ``--with-extra-version="oe"`` configure option to @@ -714,10 +714,10 @@ New Features / Enhancements in |yocto-ver| Known Issues in |yocto-ver| ~~~~~~~~~~~~~~~~~~~~~~~~~~~ -- The :ref:`ref-classes-cve-check` class is based on the `National +- The ``cve-check`` class is based on the `National Vulnerability Database `__ (NVD). Since the beginning of 2024, the maintainers of this database have stopped annotating CVEs with - the affected CPEs. This prevents the :ref:`ref-classes-cve-check` class to + the affected CPEs. This prevents the ``cve-check`` class to properly report CVEs as CPEs are used to match Yocto recipes with CVEs affecting them. As a result, the current CVE reports may look good but the reality is that some vulnerabilities are just not reported. @@ -726,7 +726,7 @@ Known Issues in |yocto-ver| '__ for entries concerning software they use, or follow release notes of such projects closely. - Please note, that the :ref:`ref-classes-cve-check` tool has always been a + Please note, that the ``cve-check`` tool has always been a helper tool, and users are advised to always review the final result. Results of an automatic scan may not take into account configuration options, compiler options and other factors. diff --git a/documentation/migration-guides/release-notes-5.3.rst b/documentation/migration-guides/release-notes-5.3.rst index 0ba0fbe98..1655ca90f 100644 --- a/documentation/migration-guides/release-notes-5.3.rst +++ b/documentation/migration-guides/release-notes-5.3.rst @@ -778,7 +778,7 @@ New Features / Enhancements in |yocto-ver| branch is no longer updated `. -- :ref:`ref-classes-cve-check` class changes: +- ``cve-check`` class changes: - ``cve-update-db-native``: FKIE: use Secondary metric if there is no Primary metric. diff --git a/documentation/migration-guides/release-notes-6.0.rst b/documentation/migration-guides/release-notes-6.0.rst index 2ae182c8c..31d4cdfce 100644 --- a/documentation/migration-guides/release-notes-6.0.rst +++ b/documentation/migration-guides/release-notes-6.0.rst @@ -572,7 +572,7 @@ New Features / Enhancements in |yocto-ver| :doc:`/security-reference/index`. It is intended to document how to report vulnerabilities to the Yocto Project security team. -- :ref:`ref-classes-cve-check`-related changes: +- :ref:`ref-classes-sbom-cve-check`-related changes: - ``cve-update-nvd2-native``: Use maximum CVSS score when extracting it from multiple sources (:oecore_rev:`4f6192f3165de0bc2499e045607c7e7ffd878a4b`) diff --git a/documentation/ref-manual/classes.rst b/documentation/ref-manual/classes.rst index d66c9c68b..2905af5ed 100644 --- a/documentation/ref-manual/classes.rst +++ b/documentation/ref-manual/classes.rst @@ -596,78 +596,6 @@ cross-compilation tools used for building SDKs. See the section in the Yocto Project Overview and Concepts Manual for more discussion on these cross-compilation tools. -.. _ref-classes-cve-check: - -``cve-check`` -============= - -The :ref:`ref-classes-cve-check` class looks for known CVEs (Common Vulnerabilities -and Exposures) while building with BitBake. This class is meant to be -inherited globally from a configuration file:: - - INHERIT += "cve-check" - -To filter out obsolete CVE database entries which are known not to impact -software from :term:`OpenEmbedded-Core (OE-Core)`, add the following line to the -build configuration file:: - - include cve-extra-exclusions.inc - -You can also look for vulnerabilities in specific packages by passing -``-c cve_check`` to BitBake. - -After building the software with Bitbake, CVE check output reports are available in ``tmp/deploy/cve`` -and image specific summaries in ``tmp/deploy/images/*.json`` files. - -When building, the CVE checker will emit build time warnings for any detected -issues which are in the state ``Unpatched``, meaning that CVE issue seems to affect the software component -and version being compiled and no patches to address the issue are applied. Other states -for detected CVE issues are: ``Patched`` meaning that a patch to address the issue is already -applied, and ``Ignored`` meaning that the issue can be ignored. - -The ``Patched`` state of a CVE issue is detected from patch files with the format -``CVE-ID.patch``, e.g. ``CVE-2019-20633.patch``, in the :term:`SRC_URI` and using -CVE metadata of format ``CVE: CVE-ID`` in the commit message of the patch file. - -.. note:: - - Commit message metadata (``CVE: CVE-ID`` in a patch header) will not be scanned - in any patches that are remote, i.e. that are anything other than local files - referenced via ``file://`` in SRC_URI. However, a ``CVE-ID`` in a remote patch - file name itself will be registered. - -If the recipe adds ``CVE-ID`` as flag of the :term:`CVE_STATUS` variable with status -mapped to ``Ignored``, then the CVE state is reported as ``Ignored``:: - - CVE_STATUS[CVE-2020-15523] = "not-applicable-platform: Issue only applies on Windows" - -If CVE check reports that a recipe contains false positives or false negatives, these may be -fixed in recipes by adjusting the CVE product name using :term:`CVE_PRODUCT` and :term:`CVE_VERSION` variables. -:term:`CVE_PRODUCT` defaults to the plain recipe name :term:`BPN` which can be adjusted to one or more CVE -database vendor and product pairs using the syntax:: - - CVE_PRODUCT = "flex_project:flex" - -where ``flex_project`` is the CVE database vendor name and ``flex`` is the product name. Similarly -if the default recipe version :term:`PV` does not match the version numbers of the software component -in upstream releases or the CVE database, then the :term:`CVE_VERSION` variable can be used to set the -CVE database compatible version number, for example:: - - CVE_VERSION = "2.39" - -Any bugs or missing or incomplete information in the CVE database entries should be fixed in the CVE database -via the `NVD feedback form `__. - -Users should note that security is a process, not a product, and thus also CVE checking, analyzing results, -patching and updating the software should be done as a regular process. The data and assumptions -required for CVE checker to reliably detect issues are frequently broken in various ways. -These can only be detected by reviewing the details of the issues and iterating over the generated reports, -and following what happens in other Linux distributions and in the greater open source community. - -You will find some more details in the -":ref:`security-manual/vulnerabilities:checking for vulnerabilities`" -section in the Development Tasks Manual. - .. _ref-classes-cython: ``cython`` @@ -3818,8 +3746,7 @@ using the Vala programming language. ======== The :ref:`ref-classes-vex` class is used to generate metadata needed by external -tools to check for vulnerabilities, for example CVEs. It can be used as a -replacement for :ref:`ref-classes-cve-check`. +tools to check for vulnerabilities, for example CVEs. In order to use this class, inherit the class in the ``local.conf`` file and it will add the ``generate_vex`` task for every recipe:: @@ -3830,9 +3757,6 @@ If an image is built it will generate a report in :term:`DEPLOY_DIR_IMAGE` for all the packages used, it will also generate a file for all recipes used in the build. -Variables use the ``CVE_CHECK`` prefix to keep compatibility with the -:ref:`ref-classes-cve-check` class. - Example usage:: bitbake -c generate_vex openssl diff --git a/documentation/ref-manual/variables.rst b/documentation/ref-manual/variables.rst index e713204e3..0fcf81299 100644 --- a/documentation/ref-manual/variables.rst +++ b/documentation/ref-manual/variables.rst @@ -1977,42 +1977,22 @@ system and gives an overview of their function and contents. variable only in certain contexts (e.g. when building for kernel and kernel module recipes). - :term:`CVE_CHECK_CREATE_MANIFEST` - Specifies whether to create a CVE manifest to place in the deploy - directory. The default is "1". - :term:`CVE_CHECK_IGNORE` This variable is deprecated and should be replaced by :term:`CVE_STATUS`. :term:`CVE_CHECK_MANIFEST_JSON` - Specifies the path to the CVE manifest in JSON format. See - :term:`CVE_CHECK_CREATE_MANIFEST`. - - :term:`CVE_CHECK_MANIFEST_JSON_SUFFIX` - Allows to modify the JSON manifest suffix. See - :term:`CVE_CHECK_MANIFEST_JSON`. - - :term:`CVE_CHECK_REPORT_PATCHED` - Specifies whether or not the :ref:`ref-classes-cve-check` - class should report patched or ignored CVEs. The default is "1", but you - may wish to set it to "0" if you do not need patched or ignored CVEs in - the logs. - - :term:`CVE_CHECK_SHOW_WARNINGS` - Specifies whether or not the :ref:`ref-classes-cve-check` - class should generate warning messages on the console when unpatched - CVEs are found. The default is "1", but you may wish to set it to "0" if - you are already examining/processing the logs after the build has - completed and thus do not need the warning messages. + When inheriting the :ref:`ref-classes-vex` class, this variable specifies + the path to the CVE manifest in JSON format. :term:`CVE_CHECK_SKIP_RECIPE` - The list of package names (:term:`PN`) for which - CVEs (Common Vulnerabilities and Exposures) are ignored. + When inheriting the :ref:`ref-classes-vex` class, the variable specifies + the list of package names (:term:`PN`) for which CVEs (Common + Vulnerabilities and Exposures) are ignored. :term:`CVE_CHECK_STATUSMAP` Mapping variable for all possible reasons of :term:`CVE_STATUS`: ``Patched``, ``Unpatched`` and ``Ignored``. - See :ref:`ref-classes-cve-check` or ``meta/conf/cve-check-map.conf`` for more details:: + See :oecore_path:`meta/conf/cve-check-map.conf` for more details:: CVE_CHECK_STATUSMAP[cpe-incorrect] = "Ignored" @@ -2023,18 +2003,6 @@ system and gives an overview of their function and contents. CVE_CHECK_VEX_JUSTIFICATION[not-applicable-config] = "vulnerableCodeNotPresent" - :term:`CVE_DB_INCR_UPDATE_AGE_THRES` - Specifies the maximum age of the CVE database in seconds for an - incremental update (instead of a full-download). Use "0" to force a - full-download. - - :term:`CVE_DB_UPDATE_INTERVAL` - Specifies the CVE database update interval in seconds, as used by - ``cve-update-db-native``. The default value is "86400" i.e. once a day - (24*60*60). If the value is set to "0" then the update will be forced - every time. Alternatively, a negative value e.g. "-1" will disable - updates entirely. - :term:`CVE_PRODUCT` In a recipe, defines the name used to match the recipe name against the name in the upstream `NIST CVE database `__. @@ -2085,12 +2053,14 @@ system and gives an overview of their function and contents. :term:`CVE_VERSION` In a recipe, defines the version used to match the recipe version against the version in the `NIST CVE database `__ - when usign :ref:`ref-classes-cve-check`. + when using the :ref:`ref-classes-vex` or :ref:`ref-classes-create-spdx` + class. The default is ${:term:`PV`} but if recipes use custom version numbers which do not map to upstream software component release versions and the versions used in the CVE database, then this variable can be used to set the - version number for :ref:`ref-classes-cve-check`. Example:: + version number for :ref:`ref-classes-vex` or + :ref:`ref-classes-create-spdx`. Example:: CVE_VERSION = "2.39" @@ -6548,33 +6518,6 @@ system and gives an overview of their function and contents. NON_MULTILIB_RECIPES = "grub grub-efi make-mod-scripts ovmf u-boot" - :term:`NVD_DB_VERSION` - The :term:`NVD_DB_VERSION` variable allows choosing the CVE feed when - using the :ref:`ref-classes-cve-check` class. It can be one of: - - - ``FKIE`` (default): the `FKIE-CAD `__ - feed reconstruction - - ``NVD2``: the NVD feed with API version 2 - - ``NVD1``: the NVD JSON feed (deprecated) - - In case of a malformed feed name, the ``NVD2`` feed is selected and an - error is printed. - - :term:`NVDCVE_API_KEY` - The NVD API key used to retrieve data from the CVE database when - using :ref:`ref-classes-cve-check`. - - By default, no API key is used, which results in larger delays between API - requests and limits the number of queries to the public rate limits posted - at the `NVD developer's page `__. - - NVD API keys can be requested through the - `Request an API Key `__ - page. You can set this variable to the NVD API key in your ``local.conf`` file. - Example:: - - NVDCVE_API_KEY = "fe753&7a2-1427-347d-23ff-b2e2b7ca5f3" - :term:`OBJCOPY` The minimal command and arguments to run :manpage:`objcopy `. diff --git a/documentation/security-manual/vulnerabilities.rst b/documentation/security-manual/vulnerabilities.rst index e6135a525..983e1548c 100644 --- a/documentation/security-manual/vulnerabilities.rst +++ b/documentation/security-manual/vulnerabilities.rst @@ -28,7 +28,7 @@ Vulnerability check at build time ================================= To enable a check for CVE security vulnerabilities using -:ref:`ref-classes-cve-check` in the specific image or target you are building, +``cve-check`` in the specific image or target you are building, add the following setting to your configuration:: INHERIT += "cve-check" @@ -58,7 +58,7 @@ analysis, it has been deemed to ignore the issue as it for example affects the software component on a different operating system platform. By default, no NVD API key is used to retrieve data from the CVE database, which -results in larger delays between NVD API requests. See the :term:`NVDCVE_API_KEY` +results in larger delays between NVD API requests. See the ``NVDCVE_API_KEY`` documentation on how to request and set a NVD API key. After a build with CVE check enabled, reports for each compiled source recipe will be @@ -145,7 +145,7 @@ It is also possible to check the CVE status of individual packages as follows:: Fixing CVE product name and version mappings ============================================ -By default, :ref:`ref-classes-cve-check` uses the recipe name :term:`BPN` as CVE +By default, ``cve-check`` uses the recipe name :term:`BPN` as CVE product name when querying the CVE database. If this mapping contains false positives, e.g. some reported CVEs are not for the software component in question, or false negatives like some CVEs are not found to impact the recipe when they should, then the problems can be @@ -288,7 +288,7 @@ the :term:`CVE_CHECK_SKIP_RECIPE` variable. Implementation details ====================== -Here's what the :ref:`ref-classes-cve-check` class does to find unpatched CVE IDs. +Here's what the ``cve-check`` class does to find unpatched CVE IDs. First the code goes through each patch file provided by a recipe. If a valid CVE ID is found in the name of the file, the corresponding CVE is considered as patched. @@ -389,7 +389,7 @@ Don't forget to update your kernel recipe with:: include cve-exclusion_6.12.inc Then the CVE information will automatically be added in the -:ref:`ref-classes-cve-check` or :ref:`ref-classes-vex` report. +``cve-check`` or :ref:`ref-classes-vex` report. ``improve_kernel_cve_report.py`` -------------------------------- @@ -402,7 +402,7 @@ CVEs by analyzing the files used to build the kernel. The script is decoupled fr the build and can be run outside of the :term:`BitBake` environment. The script uses the output from the :ref:`ref-classes-vex` or -:ref:`ref-classes-cve-check` class as input, together with CVE information from +``cve-check`` class as input, together with CVE information from the Linux kernel CNA to enrich the ``cve-summary.json`` file with updated CVE information. From patchwork Fri Apr 24 08:28:36 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Antonin Godard X-Patchwork-Id: 86807 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id BCD60FB44DA for ; Fri, 24 Apr 2026 08:28:59 +0000 (UTC) Received: from smtpout-03.galae.net (smtpout-03.galae.net [185.246.85.4]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.16367.1777019337135898945 for ; Fri, 24 Apr 2026 01:28:57 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@bootlin.com header.s=dkim header.b=lPLzyJrW; spf=pass (domain: bootlin.com, ip: 185.246.85.4, mailfrom: antonin.godard@bootlin.com) Received: from smtpout-01.galae.net (smtpout-01.galae.net [212.83.139.233]) by smtpout-03.galae.net (Postfix) with ESMTPS id 863D54E42AEB for ; Fri, 24 Apr 2026 08:28:55 +0000 (UTC) Received: from mail.galae.net (mail.galae.net [212.83.136.155]) by smtpout-01.galae.net (Postfix) with ESMTPS id 5CEFC604EB for ; Fri, 24 Apr 2026 08:28:55 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) by localhost (Mailerdaemon) with ESMTPSA id 9190F1072073A; Fri, 24 Apr 2026 10:28:54 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bootlin.com; s=dkim; t=1777019335; h=from:subject:date:message-id:to:cc:mime-version:content-type: content-transfer-encoding:in-reply-to:references; bh=9Rl/KgdaJgZRm/ClI+G56eymc+rjt0JczCym1uwq+Tg=; b=lPLzyJrWgP5gjR3gbsxMOaNNkpB+3+D1ce6vtA5kouAIND9uAFIyczhvkxGVut2eHMgcRW tG4ZHP1pYECgI9RFsq+Fzy6lY2e/dFjufLnywFUfIITcAeJ3ljwDmgjMNUGfxDmwHxGzp0 dwlO/x0e305JAXAfjUUlyLg6gq/moxgPRJiwp+QVe7o9e7tJlDkuPrKSjUrCHtvJuDOc09 wWb3QLNr2dAe1iNcQDUvbOQucUpnYYoTSAeDVdu9TACKn/M6M5Me3V9l8sl5O7tPbJiPwc auWG26Z+1RER+4vUTRmbW311+Xvb8AK4iCAr3+whyJQsNT6x3OZV4dyPGG4VdA== From: Antonin Godard Date: Fri, 24 Apr 2026 10:28:36 +0200 Subject: [PATCH v2 08/18] ref-manual/variables.rst: document the SBOM_CVE_CHECK_SHOW_WARNINGS variable MIME-Version: 1.0 Message-Id: <20260424-third-release-notes-6-0-v2-8-4feacf138e13@bootlin.com> References: <20260424-third-release-notes-6-0-v2-0-4feacf138e13@bootlin.com> In-Reply-To: <20260424-third-release-notes-6-0-v2-0-4feacf138e13@bootlin.com> To: docs@lists.yoctoproject.org Cc: Thomas Petazzoni , Antonin Godard X-Mailer: b4 0.16-dev X-Developer-Signature: v=1; a=openpgp-sha256; l=1393; i=antonin.godard@bootlin.com; h=from:subject:message-id; bh=j61hSCre8KEAPnxh0Ktq+az+7Vic4dEMvq3r+3NT5DM=; b=owEBbQKS/ZANAwAKAdGAQUApo6g2AcsmYgBp6ym+Gk7nZacsfGWDk8ZUxpVinQ+d3QqHXxVyO Ft3SqGTC6uJAjMEAAEKAB0WIQSGSHJRiN1AG7mg0//RgEFAKaOoNgUCaespvgAKCRDRgEFAKaOo NgxJD/9S0MqYHfEbXHqrK3eTMOTRYY0y17FSDw6urxS8F3eRFLEiCpabNn591fh5kcwDlbxb9hl jIu1PPHtJmnHDtiCXBUZ8yKwqtAhgKLt6nYCLGWQsPqqtAvmHnlp6yeWJGJdc0QalyjeARypiyA hkxux6XqUiiJ8CST168f3iFHnSMtv+pvuxwD8pf2Sd4wJLS7uHbp8kTJ1y6BhC989F6TVPmnnMd kklxPKrX8M8YR0uDkwsS1ls41b9VNdrtLWHeKyAzv0hAm8WhfNb6e5fhuC9mQ/L5+eVqP0xXczX QKqxh2gJPDkjFaYge9BuCCc79zkO/Sf56UGlKiaU7LHmyrNbj51B9wLPoGHrFAslkIZatVQ9F+a H59Fkq7HG5KdRJjZiYwDynQPuvt6eOrFJyJSqhytKmy4amFw/CxOGZc8uzRei25i3XOKinCXtyM Eztto6VR2iXywewCetxAOW5pj93Iuud/ZDqQR1PoG2mKynCH7djlhRhUhz6PtI2DjK2NL70mA+a Ig90bTtnhQi87JGAaSTHLOdHtqSe9sTMmx6urgdkTpsysIZLl6lDjd6jQOwPKIvTVI2jH3Lpkka JdYFqiRK+LMA7JIhk+3S38bnql3nZU6ItumFZ438Fm53j+Rh1wTSbVSzFOJOs9rh1jHFlwQ3GyR ptkF/DUksQVLYlQ== X-Developer-Key: i=antonin.godard@bootlin.com; a=openpgp; fpr=8648725188DD401BB9A0D3FFD180414029A3A836 X-Last-TLS-Session-Version: TLSv1.3 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 24 Apr 2026 08:28:59 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/docs/message/9346 Added by commit 5a5162406ffe ("sbom-cve-check-common: print warnings on unpatched CVEs") in OE-Core. Signed-off-by: Antonin Godard --- documentation/ref-manual/variables.rst | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/documentation/ref-manual/variables.rst b/documentation/ref-manual/variables.rst index 0fcf81299..4341e27fc 100644 --- a/documentation/ref-manual/variables.rst +++ b/documentation/ref-manual/variables.rst @@ -8710,6 +8710,19 @@ system and gives an overview of their function and contents. - ``both``: recipes are scanned in both their target and :ref:`ref-classes-native` context + :term:`SBOM_CVE_CHECK_SHOW_WARNINGS` + When inheriting the :ref:`ref-classes-sbom-cve-check` class, this + variable controls whether to show warnings when CVEs with the + ``Unpatched`` status are found. Example output: + + .. code-block:: text + + WARNING: core-image-minimal-1.0-r0 do_sbom_cve_check: glibc-2.43+git: Found unpatched CVEs: CVE-2010-4756 + + Set to "1" to show the warnings, "0" otherwise. + + See :doc:`/security-manual/vulnerabilities` for more information. + :term:`SDK_ARCH` The target architecture for the SDK. Typically, you do not directly set this variable. Instead, use :term:`SDKMACHINE`. From patchwork Fri Apr 24 08:28:37 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Antonin Godard X-Patchwork-Id: 86804 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3BA82FB44CC for ; Fri, 24 Apr 2026 08:28:59 +0000 (UTC) Received: from smtpout-03.galae.net (smtpout-03.galae.net [185.246.85.4]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.16691.1777019337747264096 for ; Fri, 24 Apr 2026 01:28:58 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@bootlin.com header.s=dkim header.b=lSDrWQqG; spf=pass (domain: bootlin.com, ip: 185.246.85.4, mailfrom: antonin.godard@bootlin.com) Received: from smtpout-01.galae.net (smtpout-01.galae.net [212.83.139.233]) by smtpout-03.galae.net (Postfix) with ESMTPS id 31FB34E42AE6 for ; Fri, 24 Apr 2026 08:28:56 +0000 (UTC) Received: from mail.galae.net (mail.galae.net [212.83.136.155]) by smtpout-01.galae.net (Postfix) with ESMTPS id 0AFCA604EB for ; Fri, 24 Apr 2026 08:28:56 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) by localhost (Mailerdaemon) with ESMTPSA id 574FE10720728; Fri, 24 Apr 2026 10:28:55 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bootlin.com; s=dkim; t=1777019335; h=from:subject:date:message-id:to:cc:mime-version:content-type: content-transfer-encoding:in-reply-to:references; bh=4Wkz3G2yVLXkPYtVbfiyvbhC7FZ+JUyWVPvu0KxGk/w=; b=lSDrWQqGos9Mgv/0aMNG+1ufAhLOGI7xTOCbQx5I2eNalAy+YrRkCHh+INpeMyXXmK5Cg+ gB4b7upEvil4owvaeizst1vg09gy8wXAZ7bGJsHhr8BRyaKcK7Z9AV5zNPf3zTICQcvLr/ gqxMMW5S0Z3Ra2/qQfFaXCzvCO4LFyIcnQZjTlmFuGuTmy1SISPW0V33bWaIhkdJSHVW3v ro3hiunLURHZWTsFX3Dp6VzabmEKhwZlRR00cvP0OD1CaOpxgfLbFYDiOHDf85UwnHxDz2 hO3W0Gz1qmmT4RQlm4U9/AFQyicJuoun3fMAkfFZHiYgWhrXifN0pQ4NAMQZ6Q== From: Antonin Godard Date: Fri, 24 Apr 2026 10:28:37 +0200 Subject: [PATCH v2 09/18] security-manual/vulnerabilities.rst: require Upstream-Status, not recommend MIME-Version: 1.0 Message-Id: <20260424-third-release-notes-6-0-v2-9-4feacf138e13@bootlin.com> References: <20260424-third-release-notes-6-0-v2-0-4feacf138e13@bootlin.com> In-Reply-To: <20260424-third-release-notes-6-0-v2-0-4feacf138e13@bootlin.com> To: docs@lists.yoctoproject.org Cc: Thomas Petazzoni , Antonin Godard X-Mailer: b4 0.16-dev X-Developer-Signature: v=1; a=openpgp-sha256; l=964; i=antonin.godard@bootlin.com; h=from:subject:message-id; bh=9c0go3WS5jRn/aXjXZGiPpKKCmG7k13AcwGT6AEHWMs=; b=owEBbQKS/ZANAwAKAdGAQUApo6g2AcsmYgBp6ym+a+RpSSOysk5e+eZrYqcWomc1N5OI9RA2Q 75NCRFn8LKJAjMEAAEKAB0WIQSGSHJRiN1AG7mg0//RgEFAKaOoNgUCaespvgAKCRDRgEFAKaOo NvDfEADAp6wy072q3ky3LrqJT6Nx9YmWtwgnoJnNh7eGa0yxDNt81qgjPkp+2jquNd3HG7j7Jnz BJSzyilA+SDLJ3rZVxCKBw1FLM/Zu/wfBeMn2a/+NyxpkKELdWKTapZNa7eJNQfZTAo6vW3kQjp iE4QaFlzzM0+L1Lqmi4eAIbwMw9STnJc0pjhwKGQFHyEqxTmWcwQl8BDm2cHNtfkQV9ILqyVTE9 PFXjeIPG4nqW1H/I8J/S+aKVZYzpr6SQ2m4A/+fPtCtvSlkLp2JZ04+DwwJl6c1+rrTvitGflZW ABG3ugPFBsGI9AUe4GO/T49w/zD6Wrzir9QEzkAPnnuYlvJwgLdnRXM6TdnJT3tFFKwn4eB75WM B6tAqmRkeRb46u6P01IbM3BPuIOYuclFhfzfOnbNKmM5I6dAeLYw/EuovTUWrxK0t3OmNEjyREl A0jzm9ZUrOxx4CnUofBrDRVgwjMyh8YdqKyFu2OvMiBDoDmeJN9GzbbAaz1w05fDSbUcktgIGo+ ciVzWhjrur+PFeTyTim2SWCNP9mUQE5vv+HAHvz7lt0mkRLcem9Ia92hJ6QzWMOV0qK+38KQpm2 /RWLw7WGMZ4o5K62gLlsQhECrP1JMamjsqzr5HRg3+8vLNnbn185pOz/7HvAouwlhA8f8sGzGjE w3xAFB/xj100kxA== X-Developer-Key: i=antonin.godard@bootlin.com; a=openpgp; fpr=8648725188DD401BB9A0D3FFD180414029A3A836 X-Last-TLS-Session-Version: TLSv1.3 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 24 Apr 2026 08:28:59 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/docs/message/9347 We want the Upstream-Status in any case, even if the status turns to be something like "oe-specific". So explicitly require it here. Signed-off-by: Antonin Godard --- documentation/security-manual/vulnerabilities.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/documentation/security-manual/vulnerabilities.rst b/documentation/security-manual/vulnerabilities.rst index 983e1548c..6121d4d7d 100644 --- a/documentation/security-manual/vulnerabilities.rst +++ b/documentation/security-manual/vulnerabilities.rst @@ -234,7 +234,7 @@ the format:: CVE: CVE-2022-3341 -It is also recommended to add the ``Upstream-Status:`` tag with a link +It is also required to add the ``Upstream-Status:`` tag with a link to the original patch and sign-off by people working on the backport. If there are any modifications to the original patch, note them in the ``Comments:`` tag. From patchwork Fri Apr 24 08:28:38 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Antonin Godard X-Patchwork-Id: 86814 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id E9F5AFB44D3 for ; Fri, 24 Apr 2026 08:29:09 +0000 (UTC) Received: from smtpout-03.galae.net (smtpout-03.galae.net [185.246.85.4]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.16693.1777019339813452498 for ; Fri, 24 Apr 2026 01:29:00 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@bootlin.com header.s=dkim header.b=sL8foCFX; spf=pass (domain: bootlin.com, ip: 185.246.85.4, mailfrom: antonin.godard@bootlin.com) Received: from smtpout-01.galae.net (smtpout-01.galae.net [212.83.139.233]) by smtpout-03.galae.net (Postfix) with ESMTPS id 308164E42AE6 for ; Fri, 24 Apr 2026 08:28:58 +0000 (UTC) Received: from mail.galae.net (mail.galae.net [212.83.136.155]) by smtpout-01.galae.net (Postfix) with ESMTPS id 08161604EB for ; Fri, 24 Apr 2026 08:28:58 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) by localhost (Mailerdaemon) with ESMTPSA id F36081072073D; Fri, 24 Apr 2026 10:28:55 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bootlin.com; s=dkim; t=1777019336; h=from:subject:date:message-id:to:cc:mime-version:content-type: content-transfer-encoding:in-reply-to:references; bh=UpqsunhzzkP1oWNuT5tkVDDNIT2LT5lqETAbWil2J2Q=; b=sL8foCFXeIFy0f0VtLzF90P2y35f5v5/9c1XKIQ+GRAn/OaJAEDMCf+rx9WYwDKtfOE+Qw v/BZ1Nc0d1+AGQwZKEDm2IRI/0Vq3X2V5g9CE63atxjO5Ddsflk2CmLNFBKxnSd8m+P+Yk lHRPcb1hjrvqIqm2FJTBYPnsAyoIWl4k104JAbNWvTrzMr7QLD/SdDCv8vjklY4vbRV0Mh V7IersUUHxGZ9GXqvEwxJdDuSrHST9tcqFbIhmndvovzoUVOaZdBV0AWljhSF6B6IjRuUI pLehH6pua+d0O4jC2srOIB7vjwk33ew4LkQSmCZKbEO6630aQFQBU2f8AjTqcQ== From: Antonin Godard Date: Fri, 24 Apr 2026 10:28:38 +0200 Subject: [PATCH v2 10/18] security-manual/vulnerabilities.rst: refresh the document after cve-check removal MIME-Version: 1.0 Message-Id: <20260424-third-release-notes-6-0-v2-10-4feacf138e13@bootlin.com> References: <20260424-third-release-notes-6-0-v2-0-4feacf138e13@bootlin.com> In-Reply-To: <20260424-third-release-notes-6-0-v2-0-4feacf138e13@bootlin.com> To: docs@lists.yoctoproject.org Cc: Thomas Petazzoni , Antonin Godard X-Mailer: b4 0.16-dev X-Developer-Signature: v=1; a=openpgp-sha256; l=19743; i=antonin.godard@bootlin.com; h=from:subject:message-id; bh=PaKgJSnMJ6h+O76C+o73eXlWwjV10/mB6bFXVv3qLs8=; b=kA0DAAoB0YBBQCmjqDYByyZiAGnrKb6iUf+yxLxG7M2FtWzsgEuwbazMjoo74uJegA8C+qy1c YkCMwQAAQoAHRYhBIZIclGI3UAbuaDT/9GAQUApo6g2BQJp6ym+AAoJENGAQUApo6g2qxAQAIwe pslRgy0vaPTD7l1wnaI/G8ygKvVtSiepfAhT9rdhFpYrJKXYFthpathAQsajYSjDEYYGsA+Xy91 OcZpzdGoGXyPHTPUaidDWZxnXZK+LkTZd4xfDH7CuwOXpDchuUF5DeVopgkPJa/+jxpxeIqxJl/ 6nLAul73ztarS4a5FHnhYG+kaeiT8NCfhvagiyx3pKohXAwjkbXpbJ8uUohrcTM1NXgbQgdFc2J iNDNVJE+QxToHs8B+QvLBGCXg7Qk8RaOClW4dP0qOsb4DDz3Tj5ciA6TFmzxztOvutA6xzbaLr/ ecwbSPuJswVutQzTb9D5FCZAJ1dvsYsOSAR/gy1e+/2lZq6YueMs70YsXot5rtKEFapL6IsNjrF CQ5x/V8LmNU5Jn1a3JR815X197O6dG+FB5KH2/trJ8y+1CX7bFV/GhtLAAdo+MG2l9gPcpJWEOp VbxxMHM1V099wjxjezZkCYJXc4O6y5VYYAacgrRqMgyAcoajtkSRyNqDCdxlVmgwhvncoN6dML6 bsDic+rB42BHruZRKGLeLvKas2NFnzGxyhlXwKrke2kG8ooBhiyAvmUyCW96+rmicvUq/9UDT+7 gr9dJIdC7A8XWyy2+q8Lo8w/QDVdfFtQmEKkO0xIbnF74DadPBPwhjCV47UVC79c/WX8U1ECojl Af0Eg X-Developer-Key: i=antonin.godard@bootlin.com; a=openpgp; fpr=8648725188DD401BB9A0D3FFD180414029A3A836 X-Last-TLS-Session-Version: TLSv1.3 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 24 Apr 2026 08:29:09 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/docs/message/9348 The cve-check class was removed with 00de455f8d3a ("classes/cve-check: remove class") in OE-Core. The sbom-cve-check class replaces it. And while it can generate the same report (with the same format), the vulnerabilities document needed an update to reflect the changes. Notable differences: - The output report has a different name (but same format) - There is also an enriched SPDX report containing the vulnerabilities. We do not go in details about this one as this is tied to the SPDX specification, and much more complicated. - The sbom-cve-check does not produce warnings when Unpatched CVEs are found. - The implementation details is removed as this is part of the sbom-cve-check documentation (add a link to it instead). Signed-off-by: Antonin Godard --- documentation/security-manual/vulnerabilities.rst | 219 ++++++++++------------ 1 file changed, 100 insertions(+), 119 deletions(-) diff --git a/documentation/security-manual/vulnerabilities.rst b/documentation/security-manual/vulnerabilities.rst index 6121d4d7d..38fbd2c7e 100644 --- a/documentation/security-manual/vulnerabilities.rst +++ b/documentation/security-manual/vulnerabilities.rst @@ -27,125 +27,137 @@ patches to fix them, see ":doc:`/contributor-guide/submit-changes`" for details. Vulnerability check at build time ================================= -To enable a check for CVE security vulnerabilities using -``cve-check`` in the specific image or target you are building, -add the following setting to your configuration:: +To enable a check for CVE security vulnerabilities in the specific image or +target you are building, run the following command from your :term:`Build +Directory`: - INHERIT += "cve-check" +.. code-block:: console -The CVE database contains some old incomplete entries which have been -deemed not to impact :term:`OpenEmbedded-Core (OE-Core)`. These CVE entries can be excluded from the -check using build configuration:: + $ bitbake-config-build enable-fragment core/yocto/sbom-cve-check + +Or add the following statement to a :term:`configuration file`:: + + OE_FRAGMENTS += "core/yocto/sbom-cve-check" + +This will enable the :ref:`ref-classes-sbom-cve-check` class and set the +recommended settings to use it. + +The CVE database contains some old incomplete entries which have been deemed not +to impact :term:`OpenEmbedded-Core (OE-Core)`. These CVE entries can be excluded +from the check by adding the following statement:: include conf/distro/include/cve-extra-exclusions.inc -With this CVE check enabled, BitBake build will try to map each compiled software component -recipe name and version information to the CVE database and generate recipe and -image specific reports. These reports will contain: +With the :ref:`ref-fragments-core-yocto-sbom-cve-check` fragment enabled, the +:term:`BitBake` build of an image will try to map each compiled software +component recipe name and version information to the CVE database and generate +reports in the deployment directory (:term:`DEPLOY_DIR_IMAGE`), one of which +being: ``tmp/deploy/images//-.rootfs.sbom-cve-check.yocto.json``, +a report containing: -- metadata about the software component like names and versions + - Metadata about the software component like names and versions + - Metadata about the CVE issue such as description and NVD link + - For each software component, a list of CVEs which are possibly impacting this version + - Status of each CVE: ``Patched``, ``Unpatched`` or ``Ignored`` -- metadata about the CVE issue such as description and NVD link +.. note:: -- for each software component, a list of CVEs which are possibly impacting this version + Another report named ``-.rootfs.sbom-cve-check.spdx.json`` + is also generated: this is the enriched :term:`SPDX` file of the image + containing the same information contained in the previous point, and a lot + more metadata information on the packages included in the image. For more + information on :term:`SPDX`, see the :doc:`/dev-manual/sbom` section of the + Yocto Project Development Tasks Manual. -- status of each CVE: ``Patched``, ``Unpatched`` or ``Ignored`` +Each item in the ``"package"`` list corresponds to a package installed on the +built image. Each of these packages contain a number of CVE entries under the +``"issue"`` sub-list. These CVE can have the following statuses: -The status ``Patched`` means that a patch file to address the security issue has been -applied. ``Unpatched`` status means that no patches to address the issue have been -applied and that the issue needs to be investigated. ``Ignored`` means that after -analysis, it has been deemed to ignore the issue as it for example affects -the software component on a different operating system platform. +- ``Patched`` means that a patch file to address the security issue + has been applied. -By default, no NVD API key is used to retrieve data from the CVE database, which -results in larger delays between NVD API requests. See the ``NVDCVE_API_KEY`` -documentation on how to request and set a NVD API key. +- ``Unpatched`` means that no patches to address the issue have been + applied and that the issue needs to be investigated. -After a build with CVE check enabled, reports for each compiled source recipe will be -found in ``build/tmp/deploy/cve``. +- ``Ignored`` means that after analysis, it has been deemed to ignore the issue + as it for example affects the software component on a different operating + system platform. -For example the CVE check report for the ``flex-native`` recipe looks like:: +For example, the report for the ``glibc`` package looks like this (simplified): + +.. code-block:: json - $ cat ./tmp/deploy/cve/flex-native_cve.json { "version": "1", "package": [ { - "name": "flex-native", - "layer": "meta", - "version": "2.6.4", + "name": "glibc", + "layer": "core", + "version": "2.43+git", "products": [ { - "product": "flex", - "cvesInRecord": "No" - }, - { - "product": "flex", + "product": "glibc", "cvesInRecord": "Yes" } ], "issue": [ { - "id": "CVE-2006-0459", - "status": "Patched", - "link": "https://nvd.nist.gov/vuln/detail/CVE-2006-0459", - "summary": "flex.skl in Will Estes and John Millaway Fast Lexical Analyzer Generator (flex) before 2.5.33 does not allocate enough memory for grammars containing (1) REJECT statements or (2) trailing context rules, which causes flex to generate code that contains a buffer overflow that might allow context-dependent attackers to execute arbitrary code.", - "scorev2": "7.5", + "id": "CVE-2010-4756", + "status": "Unpatched", + "link": "https://nvd.nist.gov/vuln/detail/CVE-2010-4756", + "summary": "The glob implementation in the GNU C Library (aka glibc or libc6) allows remote authenticated users to cause a denial of service (CPU and memory consumption) via crafted glob expressions that do not match any pathnames, as demonstrated by glob expressions in STAT commands to an FTP daemon, a different vulnerability than CVE-2010-2632.", + "scorev2": "4.0", "scorev3": "0.0", "scorev4": "0.0", - "modified": "2024-11-21T00:06Z", + "modified": "2025-11-03T22:15:41.000", "vector": "NETWORK", - "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", - "detail": "version-not-in-range" + "vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P", + "detail": "no-version-ranges", + "description": "Check package version" }, { - "id": "CVE-2016-6354", + "id": "CVE-2018-6551", "status": "Patched", - "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-6354", - "summary": "Heap-based buffer overflow in the yy_get_next_buffer function in Flex before 2.6.1 might allow context-dependent attackers to cause a denial of service or possibly execute arbitrary code via vectors involving num_to_read.", + "link": "https://nvd.nist.gov/vuln/detail/CVE-2018-6551", + "summary": "The malloc implementation in the GNU C Library (aka glibc or libc6), from version 2.24 to 2.26 on powerpc, and only in version 2.26 on i386, did not properly handle malloc calls with arguments close to SIZE_MAX and could return a pointer to a heap region that is smaller than requested, eventually leading to heap corruption.", "scorev2": "7.5", "scorev3": "9.8", "scorev4": "0.0", - "modified": "2024-11-21T02:55Z", + "modified": "2024-11-21T04:10:53.000", "vector": "NETWORK", - "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", + "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "detail": "version-not-in-range" }, { - "id": "CVE-2019-6293", + "id": "CVE-2019-1010022", "status": "Ignored", - "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-6293", - "summary": "An issue was discovered in the function mark_beginning_as_normal in nfa.c in flex 2.6.4. There is a stack exhaustion problem caused by the mark_beginning_as_normal function making recursive calls to itself in certain scenarios involving lots of '*' characters. Remote attackers could leverage this vulnerability to cause a denial-of-service.", - "scorev2": "4.3", - "scorev3": "5.5", + "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-1010022", + "summary": "GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass stack guard protection. The component is: nptl. The attack vector is: Exploit stack buffer overflow vulnerability and use this bypass vulnerability to bypass stack guard. NOTE: Upstream comments indicate \"this is being treated as a non-security bug and no real threat.", + "scorev2": "7.5", + "scorev3": "9.8", "scorev4": "0.0", - "modified": "2024-11-21T04:46Z", + "modified": "2024-11-21T04:17:55.000", "vector": "NETWORK", - "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P", - "detail": "upstream-wontfix", - "description": "there is stack exhaustion but no bug and it is building the parser, not running it, effectively similar to a compiler ICE. Upstream no plans to address this." + "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "description": "Upstream glibc maintainers dispute there is any issue and have no plans to address it further. this is being treated as a non-security bug and no real threat." } - ] + ], + "cpes": ["cpe:2.3:*:*:glibc:2.43:*:*:*:*:*:*:*"] } ] } -For images, a summary of all recipes included in the image and their CVEs is also -generated in the JSON format. These ``.json`` reports can be found -in the ``tmp/deploy/images`` directory for each compiled image. - -At build time CVE check will also throw warnings about ``Unpatched`` CVEs:: +At build time the :ref:`ref-classes-sbom-cve-check` class will also throw warnings about +``Unpatched`` CVEs (when :term:`SBOM_CVE_CHECK_SHOW_WARNINGS` is set to "1"): - WARNING: qemu-native-9.2.0-r0 do_cve_check: Found unpatched CVE (CVE-2023-1386) +.. code-block:: text -It is also possible to check the CVE status of individual packages as follows:: - - bitbake -c cve_check flex libarchive + WARNING: core-image-minimal-1.0-r0 do_sbom_cve_check: glibc-2.43+git: Found unpatched CVEs: CVE-2010-4756 Fixing CVE product name and version mappings ============================================ -By default, ``cve-check`` uses the recipe name :term:`BPN` as CVE +By default, :ref:`ref-classes-sbom-cve-check` uses the recipe name :term:`BPN` as CVE product name when querying the CVE database. If this mapping contains false positives, e.g. some reported CVEs are not for the software component in question, or false negatives like some CVEs are not found to impact the recipe when they should, then the problems can be @@ -175,7 +187,7 @@ Fixing vulnerabilities in recipes Suppose a CVE security issue impacts a software component. In that case, it can be fixed by updating to a newer version, by applying a patch, or by marking it -as patched via :term:`CVE_STATUS` variable flag. For OE-Core master +as patched via :term:`CVE_STATUS` variable flag. For :term:`OpenEmbedded-Core (OE-Core)` master branches, updating to a more recent software component release with fixes is the best option, but patches can be applied if releases are not yet available. @@ -228,7 +240,7 @@ is:: 1 file changed, 12 insertions(+), 4 deletions(-) -For the correct operations of the ``cve-check``, it requires the CVE +For the correct operations of :ref:`ref-classes-sbom-cve-check`, it requires the CVE identification in a ``CVE:`` tag of the patch file commit message using the format:: @@ -265,8 +277,8 @@ With the additional information, the header of the patch file in OE-core becomes A good practice is to include the CVE identifier in the patch file name, the patch file commit message and optionally in the recipe commit message. -CVE checker will then capture this information and change the CVE status to ``Patched`` -in the generated reports. +:ref:`ref-classes-sbom-cve-check` will then capture this information and change the CVE +status to ``Patched`` in the generated reports. If analysis shows that the CVE issue does not impact the recipe due to configuration, platform, version or other reasons, the CVE can be marked as ``Ignored`` by using @@ -282,44 +294,6 @@ to fix those issues in the CVE database (NVD in the case of Note that if there are many CVEs with the same status and reason, those can be shared by using the :term:`CVE_STATUS_GROUPS` variable. -Recipes can be completely skipped by CVE check by including the recipe name in -the :term:`CVE_CHECK_SKIP_RECIPE` variable. - -Implementation details -====================== - -Here's what the ``cve-check`` class does to find unpatched CVE IDs. - -First the code goes through each patch file provided by a recipe. If a valid CVE ID -is found in the name of the file, the corresponding CVE is considered as patched. -Don't forget that if multiple CVE IDs are found in the filename, only the last -one is considered. Then, the code looks for ``CVE: CVE-ID`` lines in the patch -file. The found CVE IDs are also considered as patched. -Additionally ``CVE_STATUS`` variable flags are parsed for reasons mapped to ``Patched`` -and these are also considered as patched. - -Then, the code looks up all the CVE IDs in the NIST database for all the -products defined in :term:`CVE_PRODUCT`. Then, for each found CVE: - -- If the package name (:term:`PN`) is part of - :term:`CVE_CHECK_SKIP_RECIPE`, it is considered as ``Patched``. - -- If the CVE ID has status ``CVE_STATUS[] = "ignored"`` or if it's set to - any reason which is mapped to status ``Ignored`` via ``CVE_CHECK_STATUSMAP``, - it is set as ``Ignored``. - -- If the CVE ID is part of the patched CVE for the recipe, it is - already considered as ``Patched``. - -- Otherwise, the code checks whether the recipe version (:term:`PV`) - is within the range of versions impacted by the CVE. If so, the CVE - is considered as ``Unpatched``. - -The CVE database is stored in :term:`DL_DIR` and can be inspected using -``sqlite3`` command as follows:: - - sqlite3 downloads/CVE_CHECK2/nvd*.db .dump | grep CVE-2021-37462 - When analyzing CVEs, it is recommended to: - study the latest information in `CVE database `__. @@ -335,6 +309,12 @@ When analyzing CVEs, it is recommended to: - follow public `open source security mailing lists `__ for discussions and advance notifications of CVE bugs and software releases with fixes. +Implementation details +====================== + +As :ref:`ref-classes-sbom-cve-check` is an external tool, its implementation is detailed on +the official documentation: https://sbom-cve-check.readthedocs.io/en/latest/index.html + Linux kernel vulnerabilities ============================ @@ -396,15 +376,16 @@ Then the CVE information will automatically be added in the The ``openembedded-core/scripts/contrib/improve_kernel_cve_report.py`` script leverages CVE kernel metadata and the :term:`SPDX_INCLUDE_COMPILED_SOURCES` -variable to update a ``cve-summary.json`` file. It reduces CVE false -positives by 70%-80% and provide detailed responses for all kernel-related -CVEs by analyzing the files used to build the kernel. The script is decoupled from -the build and can be run outside of the :term:`BitBake` environment. +variable to update an output ``.sbom-cve-check.yocto.json`` report file (see +section :ref:`security-manual/vulnerabilities:Vulnerability check at build time` +for details on these report files). It reduces CVE false positives by 70%-80% +and provide detailed responses for all kernel-related CVEs by analyzing the +files used to build the kernel. The script is decoupled from the build and +can be run outside of the :term:`BitBake` environment. -The script uses the output from the :ref:`ref-classes-vex` or -``cve-check`` class as input, together with CVE information from -the Linux kernel CNA to enrich the ``cve-summary.json`` file with updated CVE -information. +The script uses the output from the :ref:`ref-classes-vex` as input, together +with CVE information from the Linux kernel CNA to enrich the +report file with updated CVE information. The file name can be specified as argument. Optionally, it can also use the list of compiled files from the kernel :term:`SPDX` to ignore CVEs that are @@ -465,7 +446,7 @@ the first two examples, using the old cve-summary.json. $ python3 openembedded-core/scripts/contrib/improve_kernel_cve_report.py \ --spdx tmp/deploy/spdx/3.0.1/qemux86_64/recipes/recipe-linux-yocto.spdx.json \ --datadir ~/vulns \ - --old-cve-report build/tmp/log/cve/cve-summary.json + --old-cve-report build/tmp/deploy/images//-.rootfs.sbom-cve-check.yocto.json - Example using ``--debug-sources`` file instead of SPDX kernel file: @@ -474,7 +455,7 @@ the first two examples, using the old cve-summary.json. $ python3 openembedded-core/scripts/contrib/improve_kernel_cve_report.py \ --debug-sources tmp/pkgdata/qemux86_64/debugsources/linux-yocto-debugsources.json.zstd \ --datadir ~/vulns \ - --old-cve-report build/tmp/log/cve/cve-summary.json + --old-cve-report build/tmp/deploy/images//-.rootfs.sbom-cve-check.yocto.json - Example using the ``--kernel-version``: From patchwork Fri Apr 24 08:28:39 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Antonin Godard X-Patchwork-Id: 86818 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 22098FB44D8 for ; Fri, 24 Apr 2026 08:29:10 +0000 (UTC) Received: from smtpout-03.galae.net (smtpout-03.galae.net [185.246.85.4]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.16696.1777019341225807745 for ; Fri, 24 Apr 2026 01:29:01 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@bootlin.com header.s=dkim header.b=WXNMLxeX; spf=pass (domain: bootlin.com, ip: 185.246.85.4, mailfrom: antonin.godard@bootlin.com) Received: from smtpout-01.galae.net (smtpout-01.galae.net [212.83.139.233]) by smtpout-03.galae.net (Postfix) with ESMTPS id 9F2CD4E42AE9 for ; Fri, 24 Apr 2026 08:28:59 +0000 (UTC) Received: from mail.galae.net (mail.galae.net [212.83.136.155]) by smtpout-01.galae.net (Postfix) with ESMTPS id 77670604EB for ; Fri, 24 Apr 2026 08:28:59 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) by localhost (Mailerdaemon) with ESMTPSA id B05BD10720740; Fri, 24 Apr 2026 10:28:57 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bootlin.com; s=dkim; t=1777019338; h=from:subject:date:message-id:to:cc:mime-version:content-type: content-transfer-encoding:in-reply-to:references; bh=/gLMCD/yPKsUcO+agwmciAlSEFpPkk80DpeikpwU+Lo=; b=WXNMLxeX2eIVisodyIWEvR7IriE73oBA1TYQpFGUDlwI+CM+nb1n2HLhbn7Y4PCdauK+y4 bxqE+tk8s1tPs1EhMVdWEWbVobnXx/gSBPKQpQtNxqrW6sfzo/hq7PusMlkrlzs5jrXF1L v8HeZpPKLfrTk2/oYHvWWOwwW2a1ZeQrzPU04lOo4C8aREq4mdnQSjnlLtm6vVVQ5rpi6e ABnC/Txkp/ZP/PbzouNDRux4vHdVoZMIyRau9YTpY7xyqighySkrOH0DTGMF+NYgw9xBVp y/Vb9gZK8njtnadD83eBl5jPvAGALFkY9ybF7AkzSCfdiWT8oMTdtwV7/Xeg2Q== From: Antonin Godard Date: Fri, 24 Apr 2026 10:28:39 +0200 Subject: [PATCH v2 11/18] migration-guides/migration-6.0.rst: add migration notes on cve-check removal MIME-Version: 1.0 Message-Id: <20260424-third-release-notes-6-0-v2-11-4feacf138e13@bootlin.com> References: <20260424-third-release-notes-6-0-v2-0-4feacf138e13@bootlin.com> In-Reply-To: <20260424-third-release-notes-6-0-v2-0-4feacf138e13@bootlin.com> To: docs@lists.yoctoproject.org Cc: Thomas Petazzoni , Antonin Godard X-Mailer: b4 0.16-dev X-Developer-Signature: v=1; a=openpgp-sha256; l=5476; i=antonin.godard@bootlin.com; h=from:subject:message-id; bh=ZqPC8RnG+OPGnFC/ZPrDG+lslkErjM8VWpVuH1svv5k=; b=owEBbQKS/ZANAwAKAdGAQUApo6g2AcsmYgBp6ym/cvrwBvlPdk3mhhVYfd60UngA5iIVXcIj3 T4hyHMv4u2JAjMEAAEKAB0WIQSGSHJRiN1AG7mg0//RgEFAKaOoNgUCaespvwAKCRDRgEFAKaOo No6HD/9Q3iUwTRcsVEV0/jgXahmVGvAhpPs7ahiSnEP68ZkC5SkMgFy6LSnlrRVCI+LLn7/2LYg B3OS1HzCf+5uhaaGc+OApR4KmRT6hgytSOwOvMj/sskzVQPAUseLVhBGTx69d1TUh3/57XZrDKs kildPhLS7gN1VaikI0/7CkxZAxJmdDb3dpulid2HHdQMHBuvwG9eemAQTnAqf3jwED9i4/JtcGf u7cSxH+H+fuXAnWxLJmJJwI7OMwhQ2ubYHbyPBQZTr0fpBB3MWROEH+oRLJfnx8sQDGwrF0fFq3 /L7QvBJULRmCs6/W7EzKH87AwaWqUhhRzO5PTi4t2QtsTRnnQ4BDWRmFsBa83xhMgWQRP2t2LmM XuRlmNi0qtXr9wLHNmHC4KyU+oQNMuNBXbuW4Bh9D6oxKWZa5iLwkEWiYv7OnWWvTZN052UuTCf Juuo/asL+J0pyJB9T0B9s7E87tDztpXaecd9uVwVocrxEE8rGv5NOw1j/SgomK3yLbjIQxAywGW ga8DGJMLWL1Z9qd8gKDEryuGaJ/nIIYBRjt9VpvVppFa2n2hz6nq+9Id/diAvfeL6gbqh5DYRBB Apvwn5Bu3BvC48cFY9wc7ytSHDSr2XVKif0VS+UPJOAboOxWgk6F7VDQHy47TudepZxJy1tJ74G YkYcfFMT2bgl4ag== X-Developer-Key: i=antonin.godard@bootlin.com; a=openpgp; fpr=8648725188DD401BB9A0D3FFD180414029A3A836 X-Last-TLS-Session-Version: TLSv1.3 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 24 Apr 2026 08:29:10 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/docs/message/9349 The cve-check class was removed with 00de455f8d3a ("classes/cve-check: remove class") in OE-Core. Add migration notes to migrate from cve-check to sbom-cve-check. Signed-off-by: Antonin Godard --- documentation/migration-guides/migration-6.0.rst | 79 ++++++++++++++++++++++ .../migration-guides/release-notes-6.0.rst | 3 - 2 files changed, 79 insertions(+), 3 deletions(-) diff --git a/documentation/migration-guides/migration-6.0.rst b/documentation/migration-guides/migration-6.0.rst index d763062da..ecb124a93 100644 --- a/documentation/migration-guides/migration-6.0.rst +++ b/documentation/migration-guides/migration-6.0.rst @@ -291,6 +291,81 @@ information. Users are advised to transition to SDPX 3.0, which is provided by the :ref:`ref-classes-create-spdx` class. +``cve-check`` class removed +--------------------------- + +The ``cve-check`` class was removed and replaced by the +:ref:`ref-classes-sbom-cve-check` class. Quoting the commit removing the class +(:oecore_rev:`00de455f8d3aeca880129d23e8cfb7e246404699`): + +.. code-block:: text + + It's been long known that the cve-check class in oe-core is not that + usable in the real world, for more details see "Future of CVE scanning + in Yocto"[1]. This mail proposed an alternative direction that included + a CVE scanning tool that can be ran both during the build and afterwards, + so that periodic scans of a previously build image is possible. + + Last year, Bootlin wrote sbom-cve-check[2] and I compared this to my + proposal in "Comparing cve-check with sbom-cve-check"[3], concluding + that this is likely the missing piece. + + Support for sbom-cve-check has been merged into oe-core, and the + cve-check class is now obsolete. So that we don't have to maintain it for + the four-year lifecycle of the Wrynose release, delete it. + + This patch also deletes the database fetcher recipes, and the test cases + that were specific to cve-check. Note that the oe.cve_check library + still exists as this is used by the SPDX classes. + + [1] https://lore.kernel.org/openembedded-core/7D6E419E-A7AE-4324-966C-3552C586E452@arm.com/ + [2] https://github.com/bootlin/sbom-cve-check + [3] https://lore.kernel.org/openembedded-core/2CD10DD9-FB2A-4B10-B98A-85918EB6B4B7@arm.com/ + +Users currently using the ``cve-check`` class are advised to switch to +:ref:`ref-classes-sbom-cve-check`: + +- The following assignment:: + + INHERIT += "cve-check" + + Should be removed and replaced by:: + + OE_FRAGMENTS += "core/yocto/sbom-cve-check" + + This will enable the :ref:`ref-classes-sbom-cve-check` class along with the recommended + settings. + + This will deploy two files to the deployment directory + (:term:`DEPLOY_DIR_IMAGE`) after building an image: + + - A file ending with ``.sbom-cve-check.yocto.json``: this is the output JSON + report in the same format as the one deployed by the ``cve-check`` class. + + - A file ending with ``.sbom-cve-check.spdx.json``: this is an output SPDX + report annonated with vulnerable CVEs. + +- The ``cve-check`` class output summary file (deployed in the + :term:`DEPLOY_DIR_IMAGE`) ending with ``.cve.txt`` is no longer + deployed by default but can be added back by adding the following statement + to a configuration file:: + + SBOM_CVE_CHECK_EXPORT_VARS:append = " SBOM_CVE_CHECK_EXPORT_SUMMARY" + + This will deploy a new file ending with ``.cve.txt``, which uses the same + format as the summary previously deployed by the ``cve-check`` class. + + See the documentation of :term:`SBOM_CVE_CHECK_EXPORT_VARS` for more + details. + +- The ``CVE_CHECK_SHOW_WARNINGS`` variable, which was used to control whether + the ``cve-check`` would print warning when unpatched CVEs were found, is now + removed and replaced by the :term:`SBOM_CVE_CHECK_SHOW_WARNINGS` variable, + which does the same. + +See the :doc:`/security-manual/vulnerabilities` section of the Yocto Project +Security Manual for more information. + :term:`CVE_PRODUCT` character escaping change --------------------------------------------- @@ -410,6 +485,10 @@ The following recipes have been removed in this release: (OE-Core)` and Python 3.14 now has built-in support for zstd (:oecore_rev:`55061de857657ea01babc5652caa062e8d292c44`) +- ``cve-update-db-native``, ``cve-update-nvd2-native``: removed with the + ``cve-check`` class removal as it was the only user of these recipes. + (:oecore_rev:`00de455f8d3aeca880129d23e8cfb7e246404699`) + Removed :term:`PACKAGECONFIG` options ------------------------------------- diff --git a/documentation/migration-guides/release-notes-6.0.rst b/documentation/migration-guides/release-notes-6.0.rst index 31d4cdfce..9d611d70a 100644 --- a/documentation/migration-guides/release-notes-6.0.rst +++ b/documentation/migration-guides/release-notes-6.0.rst @@ -574,9 +574,6 @@ New Features / Enhancements in |yocto-ver| - :ref:`ref-classes-sbom-cve-check`-related changes: - - ``cve-update-nvd2-native``: Use maximum CVSS score when extracting it from - multiple sources (:oecore_rev:`4f6192f3165de0bc2499e045607c7e7ffd878a4b`) - - Escape special characters in CPE 2.3 strings (:oecore_rev:`9dd9c0038907340ba08ff4c8ee06a8748c1ac00a`) From patchwork Fri Apr 24 08:28:40 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Antonin Godard X-Patchwork-Id: 86815 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 30D68F589DF for ; Fri, 24 Apr 2026 08:29:10 +0000 (UTC) Received: from smtpout-03.galae.net (smtpout-03.galae.net [185.246.85.4]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.16369.1777019342908725577 for ; Fri, 24 Apr 2026 01:29:03 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@bootlin.com header.s=dkim header.b=XKGHqaog; spf=pass (domain: bootlin.com, ip: 185.246.85.4, mailfrom: antonin.godard@bootlin.com) Received: from smtpout-01.galae.net (smtpout-01.galae.net [212.83.139.233]) by smtpout-03.galae.net (Postfix) with ESMTPS id 555DA4E42AE6 for ; Fri, 24 Apr 2026 08:29:01 +0000 (UTC) Received: from mail.galae.net (mail.galae.net [212.83.136.155]) by smtpout-01.galae.net (Postfix) with ESMTPS id 2D5A3604EB for ; Fri, 24 Apr 2026 08:29:01 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) by localhost (Mailerdaemon) with ESMTPSA id 55D111072073E; Fri, 24 Apr 2026 10:28:59 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bootlin.com; s=dkim; t=1777019340; h=from:subject:date:message-id:to:cc:mime-version:content-type: content-transfer-encoding:in-reply-to:references; bh=Fj0FZTcwhtsqvOmGWUszQVHksS1jCyoj3bjZfPG9QPI=; b=XKGHqaogpgQSgjW6ZPf5gWoeuHuSoO2HoI8/4NvXbKECPWgovviAimy8BF+Y0U4Dfmi3mC WbQfFcsE+sO9HLD0Dk2nSLg2zYmFIpJ5lUsk5mOwSEeDVLcYI/TLFFy2GERaltvJkus8Fk pp5VdaVNV/pmloKBGO+/Cby0NmZXhafTEgMUhb+RK6s7RR2/vcF4ETdo4Pd3/3cWkcAngr usaUQg3uIiOYwx7kU6vKajG50bjMWSlwIBSBQwqpSfq5Ymh2h7WB6bJP72eZrwSewjD3fG AWhleGYE5aLE6G80bqzDmIZ+plqRXPJNEuWvcjkYLVu+QXelyIsbOimqiZbiqQ== From: Antonin Godard Date: Fri, 24 Apr 2026 10:28:40 +0200 Subject: [PATCH v2 12/18] migration-guides/release-notes-6.0.rst: cover recent changes MIME-Version: 1.0 Message-Id: <20260424-third-release-notes-6-0-v2-12-4feacf138e13@bootlin.com> References: <20260424-third-release-notes-6-0-v2-0-4feacf138e13@bootlin.com> In-Reply-To: <20260424-third-release-notes-6-0-v2-0-4feacf138e13@bootlin.com> To: docs@lists.yoctoproject.org Cc: Thomas Petazzoni , Antonin Godard X-Mailer: b4 0.16-dev X-Developer-Signature: v=1; a=openpgp-sha256; l=4642; i=antonin.godard@bootlin.com; h=from:subject:message-id; bh=CDabcsLWsozj1it/B3S7xIOTKAvJDoy6PED1ra+QdbM=; b=owEBbQKS/ZANAwAKAdGAQUApo6g2AcsmYgBp6ym/Uey3CkJNxABa62bNPrBxIJpcRDjtkQpBn aTXDdtWrLmJAjMEAAEKAB0WIQSGSHJRiN1AG7mg0//RgEFAKaOoNgUCaespvwAKCRDRgEFAKaOo NlVQEADKwuJ4DacnCvPoZkbGqvdN4GHJbLC1nCFg72M0qWXLOq1jA4Zq+j2w1FwyAGvOUJ51CwG EQ3A75CqvLOYPUo4Bla66rVtN310nGZQL1zp7Kx71unwK1OxXggXe+u2nYs4y5lfXb4VgcnECIB PktlFQ1AhgBmguzPUdRvIB/59meLQ4h1cLuHgaCvMgaux/+C3MXzkZSyaGbgc6/FSvJ//8begB5 JkSz1ZoEOaUmBYxi7nT3zyCwuQyKBSz1bfjIVwcdfJUvQFHMTlOsJ84u2VgZZeWDxxL9SlUlqVG yC6dozGL6b0fRA8U4Uu1jSZMKxwiK5Yy8uN32UW5GSHsZPhnZY4Ro9F8GXwE4A5CH08HogFjaCY Fu6nEHK34rXFrcOg18EMiltcg9kwqC6Wmokj8tBm4+kgpJ7ChRpjcuIz0Gkbmm16zE12P3BRz5W 55iYFJqcS2g3C7bPxGX8GuNpc2FX8473RAVfdCy2B1NyUwYm0Jy6sjCbpxgD05KlCz4UU3wmH3g WCxKWE80rJhjR4Wk/1H+WM5GYRy5AX4eUXSqQbOUy32H2ScqIcR+oTEsjuHFFheKSRGcvsW4Yre qVdtUPo14uC0d3cCj+182Y7nwO/QIB/GqFJoZiTDtgDlky+erYghNpOMmjYUiZncMXvJ86CRV80 xoY2boYoCrLdzkA== X-Developer-Key: i=antonin.godard@bootlin.com; a=openpgp; fpr=8648725188DD401BB9A0D3FFD180414029A3A836 X-Last-TLS-Session-Version: TLSv1.3 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 24 Apr 2026 08:29:10 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/docs/message/9350 Cover changes between 00de455f8d3a ("classes/cve-check: remove class") and 9a83f0878b6b ("busybox: fix for CVE-2026-26157, CVE-2026-26158") in OE-Core. There were no changes to BitBake and meta-yocto since the last update of these release notes. Signed-off-by: Antonin Godard --- .../migration-guides/release-notes-6.0.rst | 31 ++++++++++++++++++---- 1 file changed, 26 insertions(+), 5 deletions(-) diff --git a/documentation/migration-guides/release-notes-6.0.rst b/documentation/migration-guides/release-notes-6.0.rst index 9d611d70a..524a1a199 100644 --- a/documentation/migration-guides/release-notes-6.0.rst +++ b/documentation/migration-guides/release-notes-6.0.rst @@ -237,8 +237,6 @@ New Features / Enhancements in |yocto-ver| in the default distro setup (appearing as ``nodistro`` :term:`DISTRO`) (:oecore_rev:`175fcf9fad699dd122680d3f6961af9bf8487046`) -- Architecture-specific changes: - - QEMU / ``runqemu`` changes: - ``qemuboot```: Make the tap interface nameserver configurable through @@ -289,6 +287,9 @@ New Features / Enhancements in |yocto-ver| - Enable dynamic LLVM linking by default (:oecore_rev:`d0671c3dad87a063b3a41dd07cde89b5684e692c`) + - Enable fully static linking when :term:`TCLIBC` is set to ``musl`` + (:oecore_rev:`75409c60e9e63fdcbb9d4f54130052991362ec08`) + - Wic Image Creator changes: - ``wic/engine``: Fix copying directories into wic image with ``ext*`` @@ -297,7 +298,13 @@ New Features / Enhancements in |yocto-ver| - Re-implement sector-size support (:oecore_rev:`b50d6debf7baa555fbfb3521c4f952675bba2d37`) -- SDK-related changes: + - The Wic tool is now maintained in a separate project, no longer part of + :term:`OpenEmbedded-Core (OE-Core)`: :yocto_git:`/wic/` + + - A new ``wicenv`` type can be added to :term:`IMAGE_FSTYPES` to place the + ``.env`` file generate by Wic in the deployment directory + (:term:`DEPLOY_DIR_IMAGE`) + (:oecore_rev:`e4d49702f21fb75444d58f419432649a04e351c9`) - Testing-related changes: @@ -374,6 +381,9 @@ New Features / Enhancements in |yocto-ver| - Update data if CVE exists (:oecore_rev:`9ea6d9209b95f8d31975d71315fb52343e6aa729`) - Validate that cve details field exists (:oecore_rev:`80ff4903ea1b839f9cd9393b314c3adfbb80b765`) + - ``oe-pkgdata-util``: improve the ``lookup-pkg`` error message for + :term:`RPROVIDES` packages + (:oecore_rev:`46ff3a8d2c18fcba87c711bb23dbdabae20eef84`) - BitBake changes: @@ -463,7 +473,9 @@ New Features / Enhancements in |yocto-ver| configuration options when fetching Git repositories (:bitbake_rev:`4c378445969853d6aff4694d937b9af47c7f7300`) -- Packaging changes: + - When using the ``subpath`` parameter with the Git fetcher in an + :term:`SRC_URI`, properly make the ``HEAD`` point to the value specified + in :term:`SRCREV`. - Clang/LLVM related changes: @@ -517,7 +529,6 @@ New Features / Enhancements in |yocto-ver| :term:`SPDX_INCLUDE_VEX` variable (:oecore_rev:`d999ac407c86b462134008818d5863ecb577f3c6`) - - ``devtool`` changes: - ``ide-sdk``: @@ -580,6 +591,7 @@ New Features / Enhancements in |yocto-ver| - New :term:`PACKAGECONFIG` options for individual recipes: - ``curl``: ``schannel`` + - ``gstreamer1.0-plugins-bad``: ``fdkaac`` - ``gstreamer1.0-plugins-good``: ``qt6`` - ``libinput``: ``lua``, ``libwacom``, ``mtdev`` - ``librepo``: ``sequoia`` @@ -590,6 +602,8 @@ New Features / Enhancements in |yocto-ver| - ``python3``: ``freethreading`` (experimental, see :oecore_rev:`c56990178b31b893fbf695eaf6b67de501e9d2e9`) - ``python3-cryptography``: ``legacy-openssl`` + - ``systemd``: ``osc-context`` + - ``systemtap``: ``readline`` - systemd related changes: @@ -733,6 +747,13 @@ New Features / Enhancements in |yocto-ver| - :ref:`ref-classes-archiver`: Don't try to preserve all attributes when copying files (:oecore_rev:`6e8313688fa994c82e4c846993ed8da0d1f4db0e`) + - :ref:`ref-classes-useradd`: allow inheriting the class with only + :term:`USERADD_DEPENDS` set, when a recipe only depends on users/groups + created by another (:oecore_rev:`09a901b9874f76e665fb4ba9e537703a792011e3`) + + - ``vim``: disable `GTK+3` UI by default + (:oecore_rev:`a07763f03d4faacca4470e4f1f80f766ed068296`) + Known Issues in |yocto-ver| --------------------------- From patchwork Fri Apr 24 08:28:41 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Antonin Godard X-Patchwork-Id: 86816 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3D48CFAD41C for ; Fri, 24 Apr 2026 08:29:10 +0000 (UTC) Received: from smtpout-03.galae.net (smtpout-03.galae.net [185.246.85.4]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.16698.1777019344080183100 for ; Fri, 24 Apr 2026 01:29:04 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@bootlin.com header.s=dkim header.b=2A+yuCNc; spf=pass (domain: bootlin.com, ip: 185.246.85.4, mailfrom: antonin.godard@bootlin.com) Received: from smtpout-01.galae.net (smtpout-01.galae.net [212.83.139.233]) by smtpout-03.galae.net (Postfix) with ESMTPS id 7F9F14E42AE9 for ; Fri, 24 Apr 2026 08:29:02 +0000 (UTC) Received: from mail.galae.net (mail.galae.net [212.83.136.155]) by smtpout-01.galae.net (Postfix) with ESMTPS id 561A4604EB for ; Fri, 24 Apr 2026 08:29:02 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) by localhost (Mailerdaemon) with ESMTPSA id 165D410720737; Fri, 24 Apr 2026 10:29:01 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bootlin.com; s=dkim; t=1777019341; h=from:subject:date:message-id:to:cc:mime-version:content-type: content-transfer-encoding:in-reply-to:references; bh=W7gUeNC+KbvvNSvy1CfVIWuHUff1DPtun+4ZeK1cLoY=; b=2A+yuCNcc6ad5jBgwpi1v1VxOoAIpPDfvxBBiS4oUOeIwm3Q4QgCfU0jyQPlJhY1ZBS9tc hHmUQtBw1+4X1h16FO1DcKRZj2QBkPpc5RIzok5x19F0HsDiuOfhbwzFqe6Hg2s1cOzRFd MNnLZIoHyp6VsSCKqkrrgytPC1FIPScfDliZEuSyo0ztx2/FH7IJra7zwMkL5rEu60a3Eh NRSUlnlmj4V8zUFgRS33Pmv0TfntfymekGcPIXLRFzGme5QiPOzkDxyn7JUWKRzipcxVza u3dpQme/j53pQA4Bc2V+/FztpYcU+99fcgIplG6OIXWZ8l6meaYv+JNXJmW46A== From: Antonin Godard Date: Fri, 24 Apr 2026 10:28:41 +0200 Subject: [PATCH v2 13/18] migration-guides/release-notes-6.0.rst: add license changes MIME-Version: 1.0 Message-Id: <20260424-third-release-notes-6-0-v2-13-4feacf138e13@bootlin.com> References: <20260424-third-release-notes-6-0-v2-0-4feacf138e13@bootlin.com> In-Reply-To: <20260424-third-release-notes-6-0-v2-0-4feacf138e13@bootlin.com> To: docs@lists.yoctoproject.org Cc: Thomas Petazzoni , Antonin Godard X-Mailer: b4 0.16-dev X-Developer-Signature: v=1; a=openpgp-sha256; l=2008; i=antonin.godard@bootlin.com; h=from:subject:message-id; bh=/K0Wf70VvUPZwv9r6jRi1Eog/oF1wSubthwWPLZmmSQ=; b=owEBbQKS/ZANAwAKAdGAQUApo6g2AcsmYgBp6ym/cynTDfdnEd5vE635ITObIPz/BdRTT1Rkm QJPG4/6R5eJAjMEAAEKAB0WIQSGSHJRiN1AG7mg0//RgEFAKaOoNgUCaespvwAKCRDRgEFAKaOo NssbD/9NV1JUhlL2mr38P2C1YJK/fYKsp1RsghQcoE6Nl6xFBx1rhKkEBH3zbu311iscyXiJ+wO z3MN36vrq16HKPnONI3eQS8BIGXcbX05U+P5SV5XUjE6oXJ7l+8ORZDmBoQ0q0kyvzjJBwjskUa 5qFH+TJpNqInncrEaSfz4kOn1GRYLwxiPfCVvuDuLKazwVYj1ZcdZCFKpbEbE87WV8Hh3CL/yyJ JgtS0RRFAD+AVnq0KtRTrAgCmINIxZ7xJ70U79MTXSHzZLHvD6BojBhieot2uBuep2lHjdDE0Ao e5Mr4TecE9lF9dJ9Zl3lX9znFxYkPq4NSgkH7F/aF4Yab+fZXnu53Wh3U2JRrVkn4owBZzgfkTG BOIMF7AF2Mhwo2HJf01tNlM6v1bNEIlwGDo/V7HNqEEMpczEXOg8dwmOL67ribqZO8/262Q7Kj0 zHefMo5c0t8HNy3610lDYYSS72hsNIMz2MIWwI1GEtZkW59IYj64/pqh5n/3g7xuZnxso2003jj 5NPvvgYObGWVnRj1dSUJXZwsiUQfbUA9eJJiSCa5z9LQZ+zKF0cfkHygaK7ith/JFVNJLEsPFE4 GRhX7WlVyOR1QkdrkkhSLuMgN4gCmLMCA5x9cBmYjquE3MCsW+bUDMXldH8vN+BIImH5cedoanu mSjyKIkskLUNuIA== X-Developer-Key: i=antonin.godard@bootlin.com; a=openpgp; fpr=8648725188DD401BB9A0D3FFD180414029A3A836 X-Last-TLS-Session-Version: TLSv1.3 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 24 Apr 2026 08:29:10 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/docs/message/9351 Add license changes between yocto-5.3 and 8751ec834211 ("build-appliance-image: Update to whinlatter head revisions") on OE-Core. Signed-off-by: Antonin Godard --- .../migration-guides/release-notes-6.0.rst | 30 +++++++++++++++++++--- 1 file changed, 26 insertions(+), 4 deletions(-) diff --git a/documentation/migration-guides/release-notes-6.0.rst b/documentation/migration-guides/release-notes-6.0.rst index 524a1a199..16cd2a8e3 100644 --- a/documentation/migration-guides/release-notes-6.0.rst +++ b/documentation/migration-guides/release-notes-6.0.rst @@ -764,18 +764,40 @@ Known Issues in |yocto-ver| Recipe License changes in |yocto-ver| ------------------------------------- +.. + Going through commits on OE-Core filtered by License-Update: + git log -U0 --patch --grep "License-Update:" yocto-5.3..origin/master + The following changes have been made to the :term:`LICENSE` values set by recipes: .. list-table:: :widths: 20 40 40 :header-rows: 1 - * - Recipe - - Previous value - - New value - * - ``recipe name`` + * - Recipe(s) - Previous value - New value + * - ``libxcrypt-compat``, ``libxcrypt`` + - ``LGPL-2.1-only`` + - ``LGPL-2.1-only & 0BSD & BSD-3-Clause`` + * - ``libpcre2`` + - ``BSD-3-Clause`` + - ``BSD-3-Clause & BSD-2-Clause & MIT`` + * - ``libtest-fatal-perl`` + - ``Artistic-1.0 | GPL-1.0-or-later`` + - ``Artistic-1.0-Perl | GPL-1.0-or-later`` + * - ``python3-cffi`` + - ``MIT`` + - ``MIT-0`` + * - ``icu`` + - ``ICU`` + - ``ICU & MIT`` + * - ``iso-code`` + - ``LGPL-2.1-only`` + - ``LGPL-2.1-or-later`` + * - ``ruby`` + - ``Ruby | BSD-2-Clause | BSD-3-Clause | GPL-2.0-only | ISC | MIT`` + - ``Ruby | BSD-2-Clause | BSD-3-Clause | GPL-2.0-only | ISC | MIT | BSL-1.0 | Apache-2.0`` Security Fixes in |yocto-ver| ----------------------------- From patchwork Fri Apr 24 08:28:42 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Antonin Godard X-Patchwork-Id: 86819 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 480FDFC0379 for ; Fri, 24 Apr 2026 08:29:10 +0000 (UTC) Received: from smtpout-03.galae.net (smtpout-03.galae.net [185.246.85.4]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.16699.1777019345732188058 for ; Fri, 24 Apr 2026 01:29:06 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: body hash did not verify" header.i=@bootlin.com header.s=dkim header.b=ztGTUKUx; spf=pass (domain: bootlin.com, ip: 185.246.85.4, mailfrom: antonin.godard@bootlin.com) Received: from smtpout-01.galae.net (smtpout-01.galae.net [212.83.139.233]) by smtpout-03.galae.net (Postfix) with ESMTPS id 271004E42AE6 for ; Fri, 24 Apr 2026 08:29:04 +0000 (UTC) Received: from mail.galae.net (mail.galae.net [212.83.136.155]) by smtpout-01.galae.net (Postfix) with ESMTPS id F358E604EB for ; Fri, 24 Apr 2026 08:29:03 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) by localhost (Mailerdaemon) with ESMTPSA id 38B5010720741; Fri, 24 Apr 2026 10:29:02 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bootlin.com; s=dkim; t=1777019342; h=from:subject:date:message-id:to:cc:mime-version:content-type: content-transfer-encoding:in-reply-to:references; bh=iI+ZlDHwKZOimjYZu9lajByXQpNXp0hse7dEvwzcuUQ=; b=ztGTUKUxXymI9iGnwlvTsyfshcIA7cmbq6Y6BE6xM4wfyFseA73dOv4A3RjFV2SwDb9ujA H9M9zPSjL3HNGTkJGjh6Ee2QpX5pEXNy4wH543VOaZl8IbtfkxAKv0zoCF7Q4RfMyEptsd z3KCqIwbVmZ3tNjJJ9NFGO2kjYr446qhbrqoSMgMkbfhAX7vZ2CXsigTci6SeL9Pc17MN/ iq+7n7ZWaKDtXuZ8Ds2pm/kBS5aRY7y/Z4kfDpy290AFP0vjtconTEHLXjqiyrYPKex67/ RmYASuGyNnf8ddt14QhLqLpuP1dP27rFt4egQXWThuF/a6/qZDBYYqtxKBf7tQ== From: Antonin Godard Date: Fri, 24 Apr 2026 10:28:42 +0200 Subject: [PATCH v2 14/18] migration-guides/release-notes-6.0.rst: update CVE fixes MIME-Version: 1.0 Message-Id: <20260424-third-release-notes-6-0-v2-14-4feacf138e13@bootlin.com> References: <20260424-third-release-notes-6-0-v2-0-4feacf138e13@bootlin.com> In-Reply-To: <20260424-third-release-notes-6-0-v2-0-4feacf138e13@bootlin.com> To: docs@lists.yoctoproject.org Cc: Thomas Petazzoni , Antonin Godard X-Mailer: b4 0.16-dev X-Developer-Signature: v=1; a=openpgp-sha256; l=13043; i=antonin.godard@bootlin.com; h=from:subject:message-id; bh=Mn4UGtP4BgmloJmKvd2rK8UvSqnwBfeGl8JS4PvDi6w=; b=owEBbQKS/ZANAwAKAdGAQUApo6g2AcsmYgBp6ym/fZ0bPNJVwa4UWYJsytj9m40yraT/U8qKM Zu9GLbYctWJAjMEAAEKAB0WIQSGSHJRiN1AG7mg0//RgEFAKaOoNgUCaespvwAKCRDRgEFAKaOo Nl+nD/9DZjrjsbgq7sWU+BM7kQiuh71uCgu/5TdeDQKNFupGq3/CGSWujIUatwTFPviJUVM9RGq 8UHHNgWcZwLarE22xWuL44yrxUMMygdlvWGXdmSTqXewovadXkYSza/S1aiG1er/g4XcHsgt1Cp /cYQTZ3zFct56LIIfmG7pgouqGRepiaiVWvKSZGcZXrLSxg9OXQizEh1m75QGeIL45vRuyKkLWP krc8w7CX8hewB2JfDxOSHb+PTtR7ocM1Vx6W2JeLRZbM8cHwoK32mD+XBt0n8nmHyhvg4GBEHN0 bcLJvblrNjxuTuQfBYTufFztKPpGcuDCh/A+HU4YR+zIDt1ycsadelDTodLbRAk9gOfnyFlbD2e CaFtXCzYsz5Ip1cYeWGmWZBsBle2Tk2KlUbrNlDgZzKlSXhb3q8KMAjJQ07wxw8G9cYrgNCii/N hE7/GFxPmvugrU1RWKpIaJA2DBB1z0LZ0E0X7P+vOliiBJtVPICEpEo4OuMXvCoxbmWvmHNUqJw nxcFxtJEySF+8ZscQC0ausRxjt0xcTSKX6jDUmYrg2+P2vqK5Lj4SlpnNYdKOoZkn2sU/STsKjw PfRwL/vaAe6Nke3thqLxdgSjhWRkB56J1P5d8pH7bQio1R+yc7RU6xuwNnzXBjXRVFxb5NYAsCE pKmD6f/ApenvTvg== X-Developer-Key: i=antonin.godard@bootlin.com; a=openpgp; fpr=8648725188DD401BB9A0D3FFD180414029A3A836 X-Last-TLS-Session-Version: TLSv1.3 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 24 Apr 2026 08:29:10 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/docs/message/9352 Use documentation/tools/gen-cve-release-notes to generate the array. Signed-off-by: Antonin Godard --- .../migration-guides/release-notes-6.0.rst | 69 +++++++++++++++++++++- 1 file changed, 67 insertions(+), 2 deletions(-) + * - ``vim`` + - :cve_nist:`2026-28417`, :cve_nist:`2026-28418`, :cve_nist:`2026-28419`, :cve_nist:`2026-28420`, :cve_nist:`2026-28421`, :cve_nist:`2026-28422`, :cve_nist:`2026-33412`, :cve_nist:`2026-34714`, :cve_nist:`2026-35177` + * - ``xz`` + - :cve_nist:`2026-34743` Recipe Upgrades in |yocto-ver| ------------------------------ diff --git a/documentation/migration-guides/release-notes-6.0.rst b/documentation/migration-guides/release-notes-6.0.rst index 16cd2a8e3..c447292fe 100644 --- a/documentation/migration-guides/release-notes-6.0.rst +++ b/documentation/migration-guides/release-notes-6.0.rst @@ -802,6 +802,9 @@ The following changes have been made to the :term:`LICENSE` values set by recipe Security Fixes in |yocto-ver| ----------------------------- +.. + Generated with documentation/tools/gen-cve-release-notes + The following CVEs have been fixed: .. list-table:: @@ -810,8 +813,70 @@ The following CVEs have been fixed: * - Recipe - CVE IDs - * - ``recipe name`` - - :cve_nist:`xxx-xxxx`, ... + * - ``avahi`` + - :cve_nist:`2025-59529`, :cve_nist:`2026-34933` + * - ``binutils`` + - :cve_nist:`2025-69644`, :cve_nist:`2025-69647`, :cve_nist:`2025-69648`, :cve_nist:`2025-69649`, :cve_nist:`2025-69650`, :cve_nist:`2025-69651`, :cve_nist:`2025-69652`, :cve_nist:`2026-3441`, :cve_nist:`2026-3442`, :cve_nist:`2026-4647` + * - ``binutils-cross-x86_64`` + - :cve_nist:`2025-69644`, :cve_nist:`2025-69647`, :cve_nist:`2025-69648`, :cve_nist:`2025-69649`, :cve_nist:`2025-69650`, :cve_nist:`2025-69651`, :cve_nist:`2025-69652`, :cve_nist:`2026-3441`, :cve_nist:`2026-3442`, :cve_nist:`2026-4647` + * - ``binutils-testsuite`` + - :cve_nist:`2025-69644`, :cve_nist:`2025-69647`, :cve_nist:`2025-69648`, :cve_nist:`2025-69649`, :cve_nist:`2025-69650`, :cve_nist:`2025-69651`, :cve_nist:`2025-69652`, :cve_nist:`2026-3441`, :cve_nist:`2026-3442`, :cve_nist:`2026-4647` + * - ``cargo`` + - :cve_nist:`2026-39837`, :cve_nist:`2026-39839`, :cve_nist:`2026-39840`, :cve_nist:`2026-39841` + * - ``cups`` + - :cve_nist:`2026-34978`, :cve_nist:`2026-34979`, :cve_nist:`2026-34980`, :cve_nist:`2026-34990`, :cve_nist:`2026-39314`, :cve_nist:`2026-39316` + * - ``ffmpeg`` + - :cve_nist:`2025-69693`, :cve_nist:`2026-40962` + * - ``glibc`` + - :cve_nist:`2026-4046`, :cve_nist:`2026-4437`, :cve_nist:`2026-4438` + * - ``go`` + - :cve_nist:`2026-27140`, :cve_nist:`2026-27143`, :cve_nist:`2026-27144`, :cve_nist:`2026-32280`, :cve_nist:`2026-32281`, :cve_nist:`2026-32282`, :cve_nist:`2026-32283`, :cve_nist:`2026-32288`, :cve_nist:`2026-32289` + * - ``go-binary-native`` + - :cve_nist:`2026-27140`, :cve_nist:`2026-27143`, :cve_nist:`2026-27144`, :cve_nist:`2026-32280`, :cve_nist:`2026-32281`, :cve_nist:`2026-32282`, :cve_nist:`2026-32283`, :cve_nist:`2026-32288`, :cve_nist:`2026-32289` + * - ``go-cross-x86-64-v3`` + - :cve_nist:`2026-27140`, :cve_nist:`2026-27143`, :cve_nist:`2026-27144`, :cve_nist:`2026-32280`, :cve_nist:`2026-32281`, :cve_nist:`2026-32282`, :cve_nist:`2026-32283`, :cve_nist:`2026-32288`, :cve_nist:`2026-32289` + * - ``go-runtime`` + - :cve_nist:`2026-27140`, :cve_nist:`2026-27143`, :cve_nist:`2026-27144`, :cve_nist:`2026-32280`, :cve_nist:`2026-32281`, :cve_nist:`2026-32282`, :cve_nist:`2026-32283`, :cve_nist:`2026-32288`, :cve_nist:`2026-32289` + * - ``gstreamer1.0`` + - :cve_nist:`2026-2920`, :cve_nist:`2026-2921`, :cve_nist:`2026-2922`, :cve_nist:`2026-2923`, :cve_nist:`2026-3081`, :cve_nist:`2026-3082`, :cve_nist:`2026-3083`, :cve_nist:`2026-3084`, :cve_nist:`2026-3085`, :cve_nist:`2026-3086` + * - ``libarchive`` + - :cve_nist:`2026-5121` + * - ``libexif`` + - :cve_nist:`2026-40385`, :cve_nist:`2026-40386` + * - ``libinput`` + - :cve_nist:`2026-35093`, :cve_nist:`2026-35094` + * - ``libpng`` + - :cve_nist:`2026-33416`, :cve_nist:`2026-33636` + * - ``libsndfile1`` + - :cve_nist:`2024-50613`, :cve_nist:`2025-52194` + * - ``libsoup`` + - :cve_nist:`2026-1467`, :cve_nist:`2026-1536`, :cve_nist:`2026-1539`, :cve_nist:`2026-1801`, :cve_nist:`2026-2443`, :cve_nist:`2026-3099`, :cve_nist:`2026-3632`, :cve_nist:`2026-3633`, :cve_nist:`2026-3634`, :cve_nist:`2026-4271`, :cve_nist:`2026-5119` + * - ``linux-yocto`` + - :cve_nist:`2019-14899`, :cve_nist:`2021-3714`, :cve_nist:`2021-3864`, :cve_nist:`2022-0400`, :cve_nist:`2022-1247`, :cve_nist:`2022-4543`, :cve_nist:`2023-3397`, :cve_nist:`2023-3640`, :cve_nist:`2023-4010`, :cve_nist:`2023-6238`, :cve_nist:`2023-6240`, :cve_nist:`2025-40039`, :cve_nist:`2025-40040`, :cve_nist:`2025-40082`, :cve_nist:`2025-40149`, :cve_nist:`2025-40164`, :cve_nist:`2025-40251`, :cve_nist:`2025-68211`, :cve_nist:`2025-68214`, :cve_nist:`2025-68223`, :cve_nist:`2025-68333`, :cve_nist:`2025-68340`, :cve_nist:`2025-68351`, :cve_nist:`2025-68358`, :cve_nist:`2025-68365`, :cve_nist:`2025-68725`, :cve_nist:`2025-68749`, :cve_nist:`2025-68817`, :cve_nist:`2025-68823`, :cve_nist:`2025-71071`, :cve_nist:`2025-71072`, :cve_nist:`2025-71073`, :cve_nist:`2025-71074`, :cve_nist:`2025-71075`, :cve_nist:`2025-71076`, :cve_nist:`2025-71077`, :cve_nist:`2025-71078`, :cve_nist:`2025-71079`, :cve_nist:`2025-71080`, :cve_nist:`2025-71081`, :cve_nist:`2025-71082`, :cve_nist:`2025- 71083`, :cve_nist:`2025-71084`, :cve_nist:`2025-71085`, :cve_nist:`2025-71086`, :cve_nist:`2025-71087`, :cve_nist:`2025-71088`, :cve_nist:`2025-71089`, :cve_nist:`2025-71091`, :cve_nist:`2025-71093`, :cve_nist:`2025-71094`, :cve_nist:`2025-71095`, :cve_nist:`2025-71096`, :cve_nist:`2025-71097`, :cve_nist:`2025-71098`, :cve_nist:`2025-71099`, :cve_nist:`2025-71100`, :cve_nist:`2025-71101`, :cve_nist:`2025-71102`, :cve_nist:`2025-71104`, :cve_nist:`2025-71105`, :cve_nist:`2025-71107`, :cve_nist:`2025-71108`, :cve_nist:`2025-71109`, :cve_nist:`2025-71111`, :cve_nist:`2025-71112`, :cve_nist:`2025-71113`, :cve_nist:`2025-71114`, :cve_nist:`2025-71115`, :cve_nist:`2025-71116`, :cve_nist:`2025-71117`, :cve_nist:`2025-71118`, :cve_nist:`2025-71119`, :cve_nist:`2025-71120`, :cve_nist:`2025-71121`, :cve_nist:`2025-71122`, :cve_nist:`2025-71124`, :cve_nist:`2025-71125`, :cve_nist:`2025-71126`, :cve_nist:`2025-71127`, :cve_nist:`2025-71128`, :cve_nist:`2025-71129`, :cve_nist:`2025-71130`, :cve_ nist:`2025-71131`, :cve_nist:`2025-71132`, :cve_nist:`2025-71133`, :cve_nist:`2025-71134`, :cve_nist:`2025-71135`, :cve_nist:`2025-71136`, :cve_nist:`2025-71137`, :cve_nist:`2025-71138`, :cve_nist:`2025-71141`, :cve_nist:`2025-71142`, :cve_nist:`2025-71143`, :cve_nist:`2025-71147`, :cve_nist:`2025-71148`, :cve_nist:`2025-71149`, :cve_nist:`2025-71150`, :cve_nist:`2025-71151`, :cve_nist:`2025-71152`, :cve_nist:`2025-71153`, :cve_nist:`2025-71154`, :cve_nist:`2025-71156`, :cve_nist:`2025-71157`, :cve_nist:`2025-71158`, :cve_nist:`2025-71160`, :cve_nist:`2025-71161`, :cve_nist:`2025-71162`, :cve_nist:`2025-71163`, :cve_nist:`2025-71180`, :cve_nist:`2025-71182`, :cve_nist:`2025-71183`, :cve_nist:`2025-71184`, :cve_nist:`2025-71185`, :cve_nist:`2025-71186`, :cve_nist:`2025-71187`, :cve_nist:`2025-71188`, :cve_nist:`2025-71189`, :cve_nist:`2025-71190`, :cve_nist:`2025-71191`, :cve_nist:`2025-71200`, :cve_nist:`2025-71201`, :cve_nist:`2025-71202`, :cve_nist:`2025-71203`, :cve_nist:`2025-71 204`, :cve_nist:`2025-71220`, :cve_nist:`2025-71221`, :cve_nist:`2025-71222`, :cve_nist:`2025-71223`, :cve_nist:`2025-71225`, :cve_nist:`2025-71227`, :cve_nist:`2025-71229`, :cve_nist:`2025-71230`, :cve_nist:`2025-71231`, :cve_nist:`2025-71232`, :cve_nist:`2025-71233`, :cve_nist:`2025-71234`, :cve_nist:`2025-71235`, :cve_nist:`2025-71236`, :cve_nist:`2025-71237`, :cve_nist:`2025-71238`, :cve_nist:`2026-22976`, :cve_nist:`2026-22977`, :cve_nist:`2026-22978`, :cve_nist:`2026-22979`, :cve_nist:`2026-22980`, :cve_nist:`2026-22981`, :cve_nist:`2026-22982`, :cve_nist:`2026-22984`, :cve_nist:`2026-22985`, :cve_nist:`2026-22986`, :cve_nist:`2026-22989`, :cve_nist:`2026-22990`, :cve_nist:`2026-22991`, :cve_nist:`2026-22992`, :cve_nist:`2026-22993`, :cve_nist:`2026-22994`, :cve_nist:`2026-22996`, :cve_nist:`2026-22997`, :cve_nist:`2026-22998`, :cve_nist:`2026-22999`, :cve_nist:`2026-23000`, :cve_nist:`2026-23001`, :cve_nist:`2026-23002`, :cve_nist:`2026-23003`, :cve_nist:`2026-23005`, :cve_ni st:`2026-23006`, :cve_nist:`2026-23007`, :cve_nist:`2026-23008`, :cve_nist:`2026-23009`, :cve_nist:`2026-23010`, :cve_nist:`2026-23011`, :cve_nist:`2026-23013`, :cve_nist:`2026-23015`, :cve_nist:`2026-23017`, :cve_nist:`2026-23018`, :cve_nist:`2026-23019`, :cve_nist:`2026-23020`, :cve_nist:`2026-23021`, :cve_nist:`2026-23023`, :cve_nist:`2026-23025`, :cve_nist:`2026-23026`, :cve_nist:`2026-23060`, :cve_nist:`2026-23061`, :cve_nist:`2026-23062`, :cve_nist:`2026-23063`, :cve_nist:`2026-23064`, :cve_nist:`2026-23065`, :cve_nist:`2026-23066`, :cve_nist:`2026-23067`, :cve_nist:`2026-23068`, :cve_nist:`2026-23069`, :cve_nist:`2026-23070`, :cve_nist:`2026-23071`, :cve_nist:`2026-23072`, :cve_nist:`2026-23073`, :cve_nist:`2026-23074`, :cve_nist:`2026-23075`, :cve_nist:`2026-23076`, :cve_nist:`2026-23077`, :cve_nist:`2026-23078`, :cve_nist:`2026-23080`, :cve_nist:`2026-23081`, :cve_nist:`2026-23083`, :cve_nist:`2026-23084`, :cve_nist:`2026-23085`, :cve_nist:`2026-23086`, :cve_nist:`2026-2308 7`, :cve_nist:`2026-23088`, :cve_nist:`2026-23089`, :cve_nist:`2026-23090`, :cve_nist:`2026-23091`, :cve_nist:`2026-23092`, :cve_nist:`2026-23093`, :cve_nist:`2026-23094`, :cve_nist:`2026-23095`, :cve_nist:`2026-23096`, :cve_nist:`2026-23097`, :cve_nist:`2026-23098`, :cve_nist:`2026-23099`, :cve_nist:`2026-23100`, :cve_nist:`2026-23101`, :cve_nist:`2026-23102`, :cve_nist:`2026-23103`, :cve_nist:`2026-23104`, :cve_nist:`2026-23105`, :cve_nist:`2026-23107`, :cve_nist:`2026-23108`, :cve_nist:`2026-23109`, :cve_nist:`2026-23110`, :cve_nist:`2026-23111`, :cve_nist:`2026-23112`, :cve_nist:`2026-23113`, :cve_nist:`2026-23114`, :cve_nist:`2026-23115`, :cve_nist:`2026-23116`, :cve_nist:`2026-23118`, :cve_nist:`2026-23119`, :cve_nist:`2026-23120`, :cve_nist:`2026-23121`, :cve_nist:`2026-23122`, :cve_nist:`2026-23123`, :cve_nist:`2026-23124`, :cve_nist:`2026-23125`, :cve_nist:`2026-23126`, :cve_nist:`2026-23128`, :cve_nist:`2026-23129`, :cve_nist:`2026-23130`, :cve_nist:`2026-23131`, :cve_nist :`2026-23133`, :cve_nist:`2026-23135`, :cve_nist:`2026-23136`, :cve_nist:`2026-23137`, :cve_nist:`2026-23138`, :cve_nist:`2026-23139`, :cve_nist:`2026-23140`, :cve_nist:`2026-23141`, :cve_nist:`2026-23142`, :cve_nist:`2026-23143`, :cve_nist:`2026-23144`, :cve_nist:`2026-23146`, :cve_nist:`2026-23147`, :cve_nist:`2026-23148`, :cve_nist:`2026-23150`, :cve_nist:`2026-23151`, :cve_nist:`2026-23152`, :cve_nist:`2026-23154`, :cve_nist:`2026-23156`, :cve_nist:`2026-23157`, :cve_nist:`2026-23158`, :cve_nist:`2026-23160`, :cve_nist:`2026-23161`, :cve_nist:`2026-23163`, :cve_nist:`2026-23164`, :cve_nist:`2026-23166`, :cve_nist:`2026-23167`, :cve_nist:`2026-23168`, :cve_nist:`2026-23169`, :cve_nist:`2026-23170`, :cve_nist:`2026-23171`, :cve_nist:`2026-23172`, :cve_nist:`2026-23173`, :cve_nist:`2026-23186`, :cve_nist:`2026-23187`, :cve_nist:`2026-23188`, :cve_nist:`2026-23190`, :cve_nist:`2026-23191`, :cve_nist:`2026-23192`, :cve_nist:`2026-23193`, :cve_nist:`2026-23195`, :cve_nist:`2026-23196` , :cve_nist:`2026-23197`, :cve_nist:`2026-23198`, :cve_nist:`2026-23199`, :cve_nist:`2026-23201`, :cve_nist:`2026-23204`, :cve_nist:`2026-23205`, :cve_nist:`2026-23206`, :cve_nist:`2026-23208`, :cve_nist:`2026-23209`, :cve_nist:`2026-23210`, :cve_nist:`2026-23212`, :cve_nist:`2026-23213`, :cve_nist:`2026-23214`, :cve_nist:`2026-23215`, :cve_nist:`2026-23216`, :cve_nist:`2026-23217`, :cve_nist:`2026-23219`, :cve_nist:`2026-23220`, :cve_nist:`2026-23221`, :cve_nist:`2026-23222`, :cve_nist:`2026-23223`, :cve_nist:`2026-23224`, :cve_nist:`2026-23226`, :cve_nist:`2026-23227`, :cve_nist:`2026-23228`, :cve_nist:`2026-23229`, :cve_nist:`2026-23230`, :cve_nist:`2026-23231`, :cve_nist:`2026-23233`, :cve_nist:`2026-23234`, :cve_nist:`2026-23235`, :cve_nist:`2026-23236`, :cve_nist:`2026-23237`, :cve_nist:`2026-23238` + * - ``mesa`` + - :cve_nist:`2026-40393` + * - ``nfs-utils`` + - :cve_nist:`2025-12801` + * - ``nghttp2`` + - :cve_nist:`2026-27135` + * - ``openssh`` + - :cve_nist:`2026-35414` + * - ``python3`` + - :cve_nist:`2026-4519` + * - ``python3-requests`` + - :cve_nist:`2026-25645` + * - ``qemu`` + - :cve_nist:`2024-6519` + * - ``qemu-system-native`` + - :cve_nist:`2024-6519` + * - ``sqlite3`` + - :cve_nist:`2025-70873` + * - ``systemd-boot`` + - :cve_nist:`2026-29111`, :cve_nist:`2026-40226` From patchwork Fri Apr 24 08:28:43 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Antonin Godard X-Patchwork-Id: 86813 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 043DEFB44D6 for ; Fri, 24 Apr 2026 08:29:10 +0000 (UTC) Received: from smtpout-03.galae.net (smtpout-03.galae.net [185.246.85.4]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.16372.1777019347362259120 for ; Fri, 24 Apr 2026 01:29:07 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: body hash did not verify" header.i=@bootlin.com header.s=dkim header.b=1CbEqops; spf=pass (domain: bootlin.com, ip: 185.246.85.4, mailfrom: antonin.godard@bootlin.com) Received: from smtpout-01.galae.net (smtpout-01.galae.net [212.83.139.233]) by smtpout-03.galae.net (Postfix) with ESMTPS id C09944E42AE9 for ; Fri, 24 Apr 2026 08:29:05 +0000 (UTC) Received: from mail.galae.net (mail.galae.net [212.83.136.155]) by smtpout-01.galae.net (Postfix) with ESMTPS id 98812604EB for ; Fri, 24 Apr 2026 08:29:05 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) by localhost (Mailerdaemon) with ESMTPSA id D643C10720743; Fri, 24 Apr 2026 10:29:03 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bootlin.com; s=dkim; t=1777019344; h=from:subject:date:message-id:to:cc:mime-version:content-type: content-transfer-encoding:in-reply-to:references; bh=6hewb+qZ01hJxJm/kHFp3N9hRt8TdJgiLwjnT6n+xws=; b=1CbEqopsw1qqablQae+MuYU1yJ+C9/OWTcCm/3viFbOjmSbuWi4TwH5Fz45WLNAJG9tVJx FrlkboyAWqbR2qMn/HPWWTkm35QVFEUKw2NvEBK1jL0O/b3hFVxJRuUBDE0vI54FQtKrB1 ErETMKy+DDkkI05e6xDtRd5P7Y/dJrvn2mYumuyhnAEzgLvTuq+1ykxBvQrxjMYJlPVYlV x+aiIpDtz5JkTiJGN16rxqlHy9buL+1/KH+uS86eeB8YLFNpiyU0NUdXGIkJ8fBiKnZ4gE kn3w5n450rD+aaflM2kKri0OvaewmsMDkcb7qzSfArzIDqJ6TFVcY9pPUYhWzw== From: Antonin Godard Date: Fri, 24 Apr 2026 10:28:43 +0200 Subject: [PATCH v2 15/18] migration-guides/release-notes-6.0.rst: add recipe version changes MIME-Version: 1.0 Message-Id: <20260424-third-release-notes-6-0-v2-15-4feacf138e13@bootlin.com> References: <20260424-third-release-notes-6-0-v2-0-4feacf138e13@bootlin.com> In-Reply-To: <20260424-third-release-notes-6-0-v2-0-4feacf138e13@bootlin.com> To: docs@lists.yoctoproject.org Cc: Thomas Petazzoni , Antonin Godard X-Mailer: b4 0.16-dev X-Developer-Signature: v=1; a=openpgp-sha256; l=22656; i=antonin.godard@bootlin.com; h=from:subject:message-id; bh=zKkAwPA9uee3v1ahkiO8nCQ4mXwF+4o6GdSw1W4MX8U=; b=owEBbQKS/ZANAwAKAdGAQUApo6g2AcsmYgBp6ym/5z8haP3q0NZEKQvblfp3EOwH2j6ToLjMy a/ngd3UghaJAjMEAAEKAB0WIQSGSHJRiN1AG7mg0//RgEFAKaOoNgUCaespvwAKCRDRgEFAKaOo NsI5EAC+RIM7qWWanHL2p2DD18eYmHPa17xHAZAM5eAqifgNVw72oV3+CAdXBKvKtd5A8xoek16 Xt19mGOls25iEjPbjGx3APGwOugFABXpDvx3gtSvA6yoc9cre6maNSwlqSYFbZxAKzxk9pvocXl aFbP7FYGvz356FFeMWNH0EPEo0PtZuBxwsGVY87znVooyWeNIEIVNJp95EdlyOSjCcDPMlNaFqR RvSbuiKLQw95132bAUux14mBh3Fat/4V7M7LolTBsVkn5oCCrDsoTeZqH9L08V9ertO2oqcmd2o v0JudgYHIhaGVlYeuBAi2Gk5XM5saxCSooLgCkVx4qLkr8q3pJ/Iz2Fyy/LmtlC4bu+dGiDYYmn 930VJMw+Kk4wkKiFGUB7ehFLtPHKw2pF3K8i85FHH672PgdGBSdoJ/gPAyqqRUeyvllWZZ/P4MA zqAYOObB+w/x+rOIi0eq5JJkg9RXkBONX3AdsQQc9q01e/yU2E4Sk/ShdIagS1l8jGLZ8vcl7Uf uCMME7xmc4iyXquH7t2rN90gxjhLV9GB+tN/yusZA8wFGa3d58WI0ZGnkVCdHXz/Vnua9+PL7Mo 4rz6fB1bQg+two7RJFnov+TKRcObt653+f8L18rJ4FPVddQzbX4J0ZpU8Ejj3SMOGjA6KaLnxoX slhjwllj2x3T/dQ== X-Developer-Key: i=antonin.godard@bootlin.com; a=openpgp; fpr=8648725188DD401BB9A0D3FFD180414029A3A836 X-Last-TLS-Session-Version: TLSv1.3 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 24 Apr 2026 08:29:10 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/docs/message/9353 Signed-off-by: Antonin Godard --- .../migration-guides/release-notes-6.0.rst | 1133 +++++++++++++++++++- 1 file changed, 1128 insertions(+), 5 deletions(-) diff --git a/documentation/migration-guides/release-notes-6.0.rst b/documentation/migration-guides/release-notes-6.0.rst index c447292fe..8f09223d0 100644 --- a/documentation/migration-guides/release-notes-6.0.rst +++ b/documentation/migration-guides/release-notes-6.0.rst @@ -881,6 +881,10 @@ The following CVEs have been fixed: Recipe Upgrades in |yocto-ver| ------------------------------ +.. + Generated with https://layers.openembedded.org/layerindex/branch_comparison + With "rST" output selected + The following recipes have been upgraded: .. list-table:: @@ -888,11 +892,1130 @@ The following recipes have been upgraded: :header-rows: 1 * - Recipe - - Previous version - - New version - * - ``recipe name`` - - Previous version - - New version + - Previous version(s) + - New version(s) + * - ``acpica`` + - 20250807 + - 20251212 + * - ``adwaita-icon-theme`` + - 48.0 + - 49.0 + * - ``alsa-lib`` + - 1.2.14 + - 1.2.15.3 + * - ``alsa-tools`` + - 1.2.14 + - 1.2.15 + * - ``alsa-ucm-conf`` + - 1.2.14 + - 1.2.15.3 + * - ``alsa-utils`` + - 1.2.14 + - 1.2.15.2 + * - ``appstream`` + - 1.0.6 + - 1.1.2 + * - ``aspell`` + - 0.60.8.1 + - 0.60.8.2 + * - ``at-spi2-core`` + - 2.56.4 + - 2.60.0 + * - ``autoconf`` + - 2.72 + - 2.73 + * - ``barebox`` + - 2025.09.3 + - 2026.04.0 + * - ``barebox-tools`` + - 2025.09.3 + - 2026.04.0 + * - ``base-passwd`` + - 3.6.7 + - 3.6.8 + * - ``bash-completion`` + - 2.16.0 + - 2.17.0 + * - ``bind`` + - 9.20.15 + - 9.20.22 + * - ``binutils`` + - 2.45.1+git + - 2.46 + * - ``binutils-cross`` + - 2.45.1+git + - 2.46 + * - ``binutils-cross-canadian`` + - 2.45.1+git + - 2.46 + * - ``binutils-crosssdk`` + - 2.45.1+git + - 2.46 + * - ``binutils-testsuite`` + - 2.45.1+git + - 2.46 + * - ``bluez5`` + - 5.84 + - 5.86 + * - ``boost`` + - 1.89.0 + - 1.90.0 + * - ``boost-build-native`` + - 1.89.0 + - 1.90.0 + * - ``btrfs-tools`` + - 6.16 + - 6.19.1 + * - ``cargo`` + - 1.90.0 + - 1.94.1 + * - ``cargo-c`` + - 0.10.16+cargo-0.91.0 + - 0.10.21+cargo-0.95.0 + * - ``ccache`` + - 4.12.3 + - 4.13.2 + * - ``clang`` + - 21.1.7 + - 22.1.3 + * - ``cmake`` + - 4.1.2 + - 4.3.1 + * - ``cmake-native`` + - 4.1.2 + - 4.3.1 + * - ``compiler-rt`` + - 21.1.7 + - 22.1.3 + * - ``compiler-rt-sanitizers`` + - 21.1.7 + - 22.1.3 + * - ``connman`` + - 1.45 + - 2.0 + * - ``coreutils`` + - 9.7 + - 9.10 + * - ``createrepo-c`` + - 1.2.1 + - 1.2.3 + * - ``cross-localedef-native`` + - 2.42+git + - 2.43+git + * - ``cryptodev-linux`` + - 1.14 (135cbff90af2…) + - 1.14 (08644db02d43…) + * - ``cryptodev-module`` + - 1.14 (135cbff90af2…) + - 1.14 (08644db02d43…) + * - ``cryptodev-tests`` + - 1.14 (135cbff90af2…) + - 1.14 (08644db02d43…) + * - ``cups`` + - 2.4.15 + - 2.4.16 + * - ``curl`` + - 8.17.0 + - 8.19.0 + * - ``dhcpcd`` + - 10.2.4 + - 10.3.0 + * - ``diffoscope`` + - 306 + - 314 + * - ``dmidecode`` + - 3.6 + - 3.7 + * - ``dnf`` + - 4.23.0 + - 4.24.0 + * - ``dos2unix`` + - 7.5.2 + - 7.5.4 + * - ``dpkg`` + - 1.22.21 + - 1.23.7 + * - ``dropbear`` + - 2025.88 + - 2025.89 + * - ``e2fsprogs`` + - 1.47.3 + - 1.47.4 + * - ``ed`` + - 1.22.2 + - 1.22.5 + * - ``elfutils`` + - 0.193 + - 0.194 + * - ``ell`` + - 0.80 + - 0.83 + * - ``enchant2`` + - 2.8.14 + - 2.8.15 + * - ``epiphany`` + - 48.5 + - 49.7 + * - ``erofs-utils`` + - 1.8.10 + - 1.9.1 + * - ``ethtool`` + - 6.15 + - 6.19 + * - ``expat`` + - 2.7.4 + - 2.7.5 + * - ``fastfloat`` + - 8.0.2 + - 8.2.4 + * - ``ffmpeg`` + - 8.0 + - 8.0.1 + * - ``file`` + - 5.46 + - 5.47 + * - ``fmt`` + - 11.2.0 + - 12.1.0 + * - ``font-alias`` + - 1.0.5 + - 1.0.6 + * - ``freetype`` + - 2.13.3 + - 2.14.3 + * - ``gawk`` + - 5.3.2 + - 5.4.0 + * - ``gdb`` + - 16.3 + - 17.1 + * - ``gdb-cross`` + - 16.3 + - 17.1 + * - ``gdb-cross-canadian`` + - 16.3 + - 17.1 + * - ``gdk-pixbuf`` + - 2.42.12 + - 2.44.5 + * - ``gettext`` + - 0.26 + - 1.0 + * - ``gettext-minimal-native`` + - 0.26 + - 1.0 + * - ``gi-docgen`` + - 2025.4 + - 2026.1 + * - ``git`` + - 2.51.0 + - 2.53.0 + * - ``glew`` + - 2.2.0 + - 2.3.1 + * - ``glib-2.0`` + - 2.86.4 + - 2.88.0 + * - ``glib-2.0-initial`` + - 2.86.4 + - 2.88.0 + * - ``glibc`` + - 2.42+git + - 2.43+git + * - ``glibc-locale`` + - 2.42+git + - 2.43+git + * - ``glibc-mtrace`` + - 2.42+git + - 2.43+git + * - ``glibc-scripts`` + - 2.42+git + - 2.43+git + * - ``glibc-testsuite`` + - 2.42+git + - 2.43+git + * - ``glslang`` + - 1.4.328.1 + - 1.4.341.0 + * - ``gn`` + - 0+git (81b24e01531e…) + - 0+git (9d19a7870add…) + * - ``gnu-efi`` + - 4.0.2 + - 4.0.4 + * - ``gnupg`` + - 2.5.11 + - 2.5.17 + * - ``gnutls`` + - 3.8.10 + - 3.8.12 + * - ``go`` + - 1.25.9 + - 1.26.2 + * - ``go-binary-native`` + - 1.25.9 + - 1.26.2 + * - ``go-cross-canadian`` + - 1.25.9 + - 1.26.2 + * - ``go-cross-core2-32`` + - 1.25.9 + - 1.26.2 + * - ``go-crosssdk`` + - 1.25.9 + - 1.26.2 + * - ``go-helloworld`` + - 0.1 (8b405629c4a5…) + - 0.1 (7f05d217867b…) + * - ``go-runtime`` + - 1.25.9 + - 1.26.2 + * - ``gobject-introspection`` + - 1.84.0 + - 1.86.0 + * - ``groff`` + - 1.23.0 + - 1.24.0 + * - ``grub`` + - 2.12 + - 2.14 + * - ``grub-efi`` + - 2.12 + - 2.14 + * - ``gsettings-desktop-schemas`` + - 48.0 + - 50.0 + * - ``gst-devtools`` + - 1.26.7 + - 1.28.2 + * - ``gst-examples`` + - 1.26.7 + - 1.28.2 + * - ``gstreamer1.0`` + - 1.26.7 + - 1.28.2 + * - ``gstreamer1.0-libav`` + - 1.26.7 + - 1.28.2 + * - ``gstreamer1.0-plugins-bad`` + - 1.26.7 + - 1.28.2 + * - ``gstreamer1.0-plugins-base`` + - 1.26.7 + - 1.28.2 + * - ``gstreamer1.0-plugins-good`` + - 1.26.7 + - 1.28.2 + * - ``gstreamer1.0-plugins-ugly`` + - 1.26.7 + - 1.28.2 + * - ``gstreamer1.0-python`` + - 1.26.7 + - 1.28.2 + * - ``gstreamer1.0-rtsp-server`` + - 1.26.7 + - 1.28.2 + * - ``gtk-doc`` + - 1.34.0 + - 1.35.1 + * - ``gtk4`` + - 4.18.6 + - 4.22.1 + * - ``harfbuzz`` + - 11.4.5 + - 12.3.2 + * - ``hwdata`` + - 0.399 + - 0.405 + * - ``hwlatdetect`` + - 2.9 + - 2.10 + * - ``icu`` + - 77-1 + - 78.3 + * - ``ifupdown`` + - 0.8.44 + - 0.8.45 + * - ``igt-gpu-tools`` + - 2.1 + - 2.3 + * - ``inetutils`` + - 2.6 + - 2.7 + * - ``iproute2`` + - 6.16.0 + - 6.19.0 + * - ``iptables`` + - 1.8.11 + - 1.8.13 + * - ``iso-codes`` + - 4.18.0 + - 4.20.1 + * - ``kbd`` + - 2.8.0 + - 2.9.0 + * - ``kea`` + - 3.0.1 + - 3.0.3 + * - ``kern-tools-native`` + - 0.3+git (f589e1df2325…) + - 0.3+git (a4a362d9f4f0…) + * - ``kexec-tools`` + - 2.0.31 + - 2.0.32 + * - ``kmscube`` + - 0.0.1+git (2c1f2646c5e5…) + - 0.0.1+git (f60e50e887d3…) + * - ``less`` + - 679 + - 692 + * - ``libadwaita`` + - 1.7.6 + - 1.8.4 + * - ``libarchive`` + - 3.8.6 + - 3.8.7 + * - ``libatomic-ops`` + - 7.8.4 + - 7.10.0 + * - ``libcap`` + - 2.76 + - 2.77 + * - ``libcap-ng`` + - 0.8.5 + - 0.9.1 + * - ``libcap-ng-python`` + - 0.8.5 + - 0.9.1 + * - ``libclc`` + - 21.1.7 + - 22.1.3 + * - ``libcomps`` + - 0.1.22 + - 0.1.24 + * - ``libcxx`` + - 21.1.7 + - 22.1.3 + * - ``libdisplay-info`` + - 0.2.0 + - 0.3.0 + * - ``libdnf`` + - 0.74.0 + - 0.75.0 + * - ``libdrm`` + - 2.4.125 + - 2.4.131 + * - ``libedit`` + - 20250104-3.1 + - 20251016-3.1 + * - ``libevdev`` + - 1.13.5 + - 1.13.6 + * - ``libexif`` + - 0.6.25 + - 0.6.26 + * - ``libfontenc`` + - 1.1.8 + - 1.1.9 + * - ``libgcrypt`` + - 1.11.2 + - 1.12.1 + * - ``libgit2`` + - 1.9.1 + - 1.9.2 + * - ``libgloss`` + - 4.5.0+git + - 4.6.0+git + * - ``libgpg-error`` + - 1.56 + - 1.59 + * - ``libinput`` + - 1.29.1 + - 1.30.2 + * - ``libjpeg-turbo`` + - 3.1.2 + - 3.1.3 + * - ``libksba`` + - 1.6.7 + - 1.6.8 + * - ``libnl`` + - 3.11.0 + - 3.12.0 + * - ``libnotify`` + - 0.8.6 + - 0.8.8 + * - ``libpam`` + - 1.7.1 + - 1.7.2 + * - ``libpciaccess`` + - 0.18.1 + - 0.19 + * - ``libpcre2`` + - 10.46 + - 10.47 + * - ``libproxy`` + - 0.5.10 + - 0.5.12 + * - ``librsvg`` + - 2.61.0 + - 2.61.3 + * - ``libsolv`` + - 0.7.35 + - 0.7.36 + * - ``libstd-rs`` + - 1.90.0 + - 1.94.1 + * - ``libtasn1`` + - 4.20.0 + - 4.21.0 + * - ``libtest-fatal-perl`` + - 0.017 + - 0.018 + * - ``libtirpc`` + - 1.3.6 + - 1.3.7 + * - ``libtraceevent`` + - 1.8.4 + - 1.9.0 + * - ``libubootenv`` + - 0.3.6 + - 0.3.7 + * - ``libunistring`` + - 1.3 + - 1.4.2 + * - ``liburcu`` + - 0.15.3 + - 0.15.6 + * - ``libuv`` + - 1.51.0 + - 1.52.1 + * - ``libva`` + - 2.22.0 + - 2.23.0 + * - ``libva-initial`` + - 2.22.0 + - 2.23.0 + * - ``libva-utils`` + - 2.22.0 + - 2.23.0 + * - ``libx11`` + - 1.8.12 + - 1.8.13 + * - ``libx11-compose-data`` + - 1.8.4 + - 1.8.12 + * - ``libxcomposite`` + - 0.4.6 + - 0.4.7 + * - ``libxcrypt`` + - 4.4.38 + - 4.5.2 + * - ``libxcrypt-compat`` + - 4.4.38 + - 4.5.2 + * - ``libxdamage`` + - 1.1.6 + - 1.1.7 + * - ``libxext`` + - 1.3.6 + - 1.3.7 + * - ``libxinerama`` + - 1.1.5 + - 1.1.6 + * - ``libxkbcommon`` + - 1.11.0 + - 1.13.1 + * - ``libxkbfile`` + - 1.1.3 + - 1.2.0 + * - ``libxml2`` + - 2.14.6 + - 2.15.2 + * - ``libxmu`` + - 1.2.1 + - 1.3.1 + * - ``libxpm`` + - 3.5.17 + - 3.5.18 + * - ``libxrandr`` + - 1.5.4 + - 1.5.5 + * - ``libxslt`` + - 1.1.43 + - 1.1.45 + * - ``libxvmc`` + - 1.0.14 + - 1.0.15 + * - ``libxxf86vm`` + - 1.1.6 + - 1.1.7 + * - ``lighttpd`` + - 1.4.81 + - 1.4.82 + * - ``linux-firmware`` + - 20251111 + - 20260410 + * - ``linux-libc-headers`` + - 6.17 + - 6.18 + * - ``linux-yocto`` + - 6.12.69+git, 6.16.11+git + - 6.18.24+git + * - ``linux-yocto-dev`` + - 6.18+git + - 7.0+git + * - ``linux-yocto-rt`` + - 6.12.69+git, 6.16.11+git + - 6.18.24+git + * - ``linux-yocto-tiny`` + - 6.12.69+git, 6.16.11+git + - 6.18.24+git + * - ``lld`` + - 21.1.7 + - 22.1.3 + * - ``lldb`` + - 21.1.7 + - 22.1.3 + * - ``llvm`` + - 21.1.7 + - 22.1.3 + * - ``llvm-tblgen-native`` + - 21.1.7 + - 22.1.3 + * - ``lsof`` + - 4.99.5 + - 4.99.6 + * - ``ltp`` + - 20250930 + - 20260130 + * - ``lttng-modules`` + - 2.14.3 + - 2.14.4 + * - ``lttng-tools`` + - 2.14.0 + - 2.14.1 + * - ``lua`` + - 5.4.8 + - 5.5.0 + * - ``lzlib`` + - 1.15 + - 1.16 + * - ``m4`` + - 1.4.20 + - 1.4.21 + * - ``m4-native`` + - 1.4.20 + - 1.4.21 + * - ``makedumpfile`` + - 1.7.7 + - 1.7.8 + * - ``man-pages`` + - 6.15 + - 6.17 + * - ``mdadm`` + - 4.4 + - 4.6 + * - ``mesa`` + - 25.2.8 + - 26.0.5 + * - ``mesa-gl`` + - 25.2.8 + - 26.0.5 + * - ``meson`` + - 1.9.1 + - 1.10.2 + * - ``mpg123`` + - 1.33.2 + - 1.33.4 + * - ``msmtp`` + - 1.8.31 + - 1.8.32 + * - ``mtd-utils`` + - 2.3.0 + - 2.3.1 + * - ``musl`` + - 1.2.5+git + - 1.2.6+git + * - ``nasm`` + - 2.16.03 + - 3.01 + * - ``ncurses`` + - 6.5 + - 6.6 + * - ``newlib`` + - 4.5.0+git + - 4.6.0+git + * - ``nfs-utils`` + - 2.8.4 + - 2.8.7 + * - ``nghttp2`` + - 1.66.0 + - 1.68.1 + * - ``ninja`` + - 1.13.1 + - 1.13.2 + * - ``ofono`` + - 2.18 + - 2.19 + * - ``openmp`` + - 21.1.7 + - 22.1.3 + * - ``opensbi`` + - 1.7 + - 1.8.1 + * - ``openssh`` + - 10.2p1 + - 10.3p1 + * - ``opkg`` + - 0.8.0 + - 0.9.0 + * - ``orc`` + - 0.4.41 + - 0.4.42 + * - ``ovmf`` + - edk2-stable202508 + - edk2-stable202511 + * - ``p11-kit`` + - 0.25.5 + - 0.26.2 + * - ``perl`` + - 5.40.2 + - 5.42.0 + * - ``perlcross`` + - 1.6.2 + - 1.6.4 + * - ``picolibc`` + - 1.8.6+git + - 1.8.11+git + * - ``picolibc-helloworld`` + - 1.8.6+git + - 1.8.11+git + * - ``procps`` + - 4.0.5 + - 4.0.6 + * - ``pseudo`` + - 1.9.3+git + - 1.9.5 + * - ``puzzles`` + - 0.0+git (a7c7826bce5c…) + - 0.0+git (ecb576fb2a0a…) + * - ``python3`` + - 3.13.12 + - 3.14.4 + * - ``python3-attrs`` + - 25.3.0 + - 25.4.0 + * - ``python3-babel`` + - 2.17.0 + - 2.18.0 + * - ``python3-bcrypt`` + - 4.3.0 + - 5.0.0 + * - ``python3-beartype`` + - 0.21.0 + - 0.22.9 + * - ``python3-build`` + - 1.3.0 + - 1.4.0 + * - ``python3-calver`` + - 2025.04.17 + - 2025.10.20 + * - ``python3-certifi`` + - 2025.8.3 + - 2026.2.25 + * - ``python3-cffi`` + - 1.17.1 + - 2.0.0 + * - ``python3-chardet`` + - 5.2.0 + - 6.0.0.post1 + * - ``python3-click`` + - 8.2.2 + - 8.3.1 + * - ``python3-cryptography`` + - 45.0.7 + - 46.0.5 + * - ``python3-cryptography-vectors`` + - 45.0.7 + - 46.0.5 + * - ``python3-cython`` + - 3.1.3 + - 3.2.4 + * - ``python3-dbusmock`` + - 0.37.0 + - 0.38.1 + * - ``python3-docutils`` + - 0.22 + - 0.22.4 + * - ``python3-dtschema`` + - 2025.8 + - 2025.12 + * - ``python3-hatchling`` + - 1.27.0 + - 1.29.0 + * - ``python3-hypothesis`` + - 6.142.2 + - 6.151.9 + * - ``python3-imagesize`` + - 1.4.1 + - 2.0.0 + * - ``python3-iniconfig`` + - 2.1.0 + - 2.3.0 + * - ``python3-jsonschema`` + - 4.25.1 + - 4.26.0 + * - ``python3-markdown`` + - 3.9 + - 3.10.2 + * - ``python3-markupsafe`` + - 3.0.2 + - 3.0.3 + * - ``python3-maturin`` + - 1.9.4 + - 1.12.4 + * - ``python3-meson-python`` + - 0.18.0 + - 0.19.0 + * - ``python3-numpy`` + - 2.3.4 + - 2.4.3 + * - ``python3-packaging`` + - 25.0 + - 26.0 + * - ``python3-pathspec`` + - 0.12.1 + - 1.0.4 + * - ``python3-pbr`` + - 7.0.1 + - 7.0.3 + * - ``python3-pdm`` + - 2.25.9 + - 2.26.6 + * - ``python3-pdm-backend`` + - 2.4.5 + - 2.4.7 + * - ``python3-pdm-build-locked`` + - 0.3.5 + - 0.3.7 + * - ``python3-pip`` + - 25.2 + - 26.0.1 + * - ``python3-poetry-core`` + - 2.1.3 + - 2.3.1 + * - ``python3-psutil`` + - 7.0.0 + - 7.2.2 + * - ``python3-pyasn1`` + - 0.6.1 + - 0.6.2 + * - ``python3-pycairo`` + - 1.28.0 + - 1.29.0 + * - ``python3-pycparser`` + - 2.22 + - 3.0 + * - ``python3-pygobject`` + - 3.52.3 + - 3.56.1 + * - ``python3-pyopenssl`` + - 25.1.0 + - 26.0.0 + * - ``python3-pyparsing`` + - 3.2.4 + - 3.3.2 + * - ``python3-pyproject-metadata`` + - 0.9.1 + - 0.11.0 + * - ``python3-pytest`` + - 8.4.2 + - 9.0.2 + * - ``python3-pytest-subtests`` + - 0.14.2 + - 0.15.0 + * - ``python3-pytz`` + - 2025.2 + - 2026.1 + * - ``python3-pyyaml`` + - 6.0.2 + - 6.0.3 + * - ``python3-rdflib`` + - 7.1.4 + - 7.6.0 + * - ``python3-rpds-py`` + - 0.27.1 + - 0.30.0 + * - ``python3-ruamel-yaml`` + - 0.18.15 + - 0.19.1 + * - ``python3-scons`` + - 4.9.1 + - 4.10.1 + * - ``python3-setuptools`` + - 80.9.0 + - 82.0.1 + * - ``python3-setuptools-scm`` + - 8.3.1 + - 9.2.2 + * - ``python3-sphinx`` + - 8.2.1 + - 9.1.0 + * - ``python3-sphinx-rtd-theme`` + - 3.0.2 + - 3.1.0 + * - ``python3-testtools`` + - 2.7.2 + - 2.8.7 + * - ``python3-trove-classifiers`` + - 2025.9.11.17 + - 2026.1.14.14 + * - ``python3-unittest-automake-output`` + - 0.3 + - 0.4 + * - ``python3-uritools`` + - 5.0.0 + - 6.0.1 + * - ``python3-urllib3`` + - 2.5.0 + - 2.6.3 + * - ``python3-wcwidth`` + - 0.2.13 + - 0.6.0 + * - ``python3-webcolors`` + - 24.11.1 + - 25.10.0 + * - ``python3-websockets`` + - 15.0.1 + - 16.0 + * - ``python3-wheel`` + - 0.46.1 + - 0.46.3 + * - ``python3-xmltodict`` + - 0.15.1 + - 1.0.4 + * - ``python3-yamllint`` + - 1.37.1 + - 1.38.0 + * - ``qemu`` + - 10.0.6 + - 10.2.0 + * - ``qemu-native`` + - 10.0.6 + - 10.2.0 + * - ``qemu-system-native`` + - 10.0.6 + - 10.2.0 + * - ``quota`` + - 4.10 + - 4.11 + * - ``re2c`` + - 4.3 + - 4.4 + * - ``repo`` + - 2.58 + - 2.61.1 + * - ``resolvconf`` + - 1.93 + - 1.94 + * - ``rgb`` + - 1.1.0 + - 1.1.1 + * - ``rpm-sequoia`` + - 1.9.0 + - 1.10.1 + * - ``rpm-sequoia-crypto-policy`` + - git (ae1df75b1155…) + - git (f3f5fa454345…) + * - ``rt-tests`` + - 2.9 + - 2.10 + * - ``ruby`` + - 3.4.5 + - 4.0.2 + * - ``rust`` + - 1.90.0 + - 1.94.1 + * - ``rust-cross-canadian`` + - 1.90.0 + - 1.94.1 + * - ``sbc`` + - 2.1 + - 2.2 + * - ``scdoc`` + - 1.11.3 + - 1.11.4 + * - ``seatd`` + - 0.9.1 + - 0.9.3 + * - ``shaderc`` + - 2025.3 + - 2026.1 + * - ``shadow`` + - 4.18.0 + - 4.19.4 + * - ``socat`` + - 1.8.0.3 + - 1.8.1.1 + * - ``spirv-headers`` + - 1.4.328.1 + - 1.4.341.0 + * - ``spirv-llvm-translator`` + - 21.1.1 + - 22.1.1 + * - ``spirv-tools`` + - 1.4.328.1 + - 1.4.341.0 + * - ``sqlite3`` + - 3.48.0 + - 3.51.3 + * - ``squashfs-tools`` + - 4.7.2 + - 4.7.5 + * - ``strace`` + - 6.16 + - 6.19 + * - ``stress-ng`` + - 0.19.04 + - 0.20.01 + * - ``swig`` + - 4.3.1 + - 4.4.1 + * - ``sysstat`` + - 12.7.8 + - 12.7.9 + * - ``systemd`` + - 257.8 + - 259.5 + * - ``systemd-boot`` + - 257.8 + - 259.5 + * - ``systemd-boot-native`` + - 257.8 + - 259.5 + * - ``systemd-systemctl-native`` + - 257.8 + - 259.5 + * - ``systemtap`` + - 5.3 + - 5.4 + * - ``systemtap-native`` + - 5.3 + - 5.4 + * - ``taglib`` + - 2.1.1 + - 2.2.1 + * - ``tcl`` + - 9.0.2 + - 9.0.3 + * - ``texinfo`` + - 7.2 + - 7.3 + * - ``ttyrun`` + - 2.38.0 + - 2.41.0 + * - ``u-boot`` + - 2025.10 + - 2026.01 + * - ``u-boot-tools`` + - 2025.10 + - 2026.01 + * - ``usbutils`` + - 018 + - 019 + * - ``utfcpp`` + - 4.0.6 + - 4.0.9 + * - ``util-linux`` + - 2.41.1 + - 2.41.3 + * - ``util-linux-libuuid`` + - 2.41.1 + - 2.41.3 + * - ``valgrind`` + - 3.25.1 + - 3.26.0 + * - ``vim`` + - 9.1.1683 + - 9.2.0340 + * - ``vim-tiny`` + - 9.1.1683 + - 9.2.0340 + * - ``virglrenderer`` + - 1.1.1 + - 1.2.0 + * - ``vte`` + - 0.82.1 + - 0.82.2 + * - ``vulkan-headers`` + - 1.4.328.1 + - 1.4.341.0 + * - ``vulkan-loader`` + - 1.4.328.1 + - 1.4.341.0 + * - ``vulkan-samples`` + - git (d27205d14d01…) + - git (fa2cf45adde0…) + * - ``vulkan-tools`` + - 1.4.328.1 + - 1.4.341.0 + * - ``vulkan-utility-libraries`` + - 1.4.328.1 + - 1.4.341.0 + * - ``vulkan-validation-layers`` + - 1.4.328.1 + - 1.4.341.0 + * - ``vulkan-volk`` + - 1.4.328.1 + - 1.4.341.0 + * - ``wayland-protocols`` + - 1.45 + - 1.47 + * - ``wayland-utils`` + - 1.2.0 + - 1.3.0 + * - ``webkitgtk`` + - 2.50.4 + - 2.50.6 + * - ``weston`` + - 14.0.2 + - 15.0.0 + * - ``wpebackend-fdo`` + - 1.16.0 + - 1.16.1 + * - ``x264`` + - r3039+git (31e19f92f00c…) + - r3039+git (0480cb05fa18…) + * - ``xauth`` + - 1.1.4 + - 1.1.5 + * - ``xcb-util-cursor`` + - 0.1.5 + - 0.1.6 + * - ``xeyes`` + - 1.3.0 + - 1.3.1 + * - ``xkbcomp`` + - 1.4.7 + - 1.5.0 + * - ``xkeyboard-config`` + - 2.45 + - 2.47 + * - ``xorgproto`` + - 2024.1 + - 2025.1 + * - ``xserver-xorg`` + - 21.1.18 + - 21.1.21 + * - ``xwayland`` + - 24.1.8 + - 24.1.9 + * - ``xz`` + - 5.8.1 + - 5.8.2 + * - ``zlib`` + - 1.3.1 + - 1.3.2 Contributors to |yocto-ver| --------------------------- From patchwork Fri Apr 24 08:28:44 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Antonin Godard X-Patchwork-Id: 86817 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1037BFB44D9 for ; Fri, 24 Apr 2026 08:29:10 +0000 (UTC) Received: from smtpout-03.galae.net (smtpout-03.galae.net [185.246.85.4]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.16700.1777019348266762947 for ; Fri, 24 Apr 2026 01:29:08 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@bootlin.com header.s=dkim header.b=k+pkICnr; spf=pass (domain: bootlin.com, ip: 185.246.85.4, mailfrom: antonin.godard@bootlin.com) Received: from smtpout-01.galae.net (smtpout-01.galae.net [212.83.139.233]) by smtpout-03.galae.net (Postfix) with ESMTPS id AAE0D4E42AE6 for ; Fri, 24 Apr 2026 08:29:06 +0000 (UTC) Received: from mail.galae.net (mail.galae.net [212.83.136.155]) by smtpout-01.galae.net (Postfix) with ESMTPS id 81372604EB for ; Fri, 24 Apr 2026 08:29:06 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) by localhost (Mailerdaemon) with ESMTPSA id 92E181072073F; Fri, 24 Apr 2026 10:29:05 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bootlin.com; s=dkim; t=1777019346; h=from:subject:date:message-id:to:cc:mime-version:content-type: content-transfer-encoding:in-reply-to:references; bh=YKSMI2asJtvvC7t4xDWFe3x8s1nMrZfhdXk2BHHPZlE=; b=k+pkICnrjErNtdX9RIc2w4l8I7zuRHkX3kEEQ/+WLXup8JK6/XY7dUerwLLwS3E9kvKf7W cbvaO+TUrJcOZZHHy82yEfVOGc+HxSp2FIse5hrNK0ECYo8bqQNO9W6JNbIKMnIjGvE8qd S+6e90Y7ZEI8ZPH+i9ZY/RgQjKSrmKkOvZDCwJL+qLAEw4FyWl9LYx9DW9/Ny3XpTjvb9i bpOksHcVw+ffNG6gA3jKBz8medYx5WofDibEQPYyftV0HL3XojGrdjm8OrzOeeLnzzi3ts JkKSID2JOjJZiiP6H7w1vl8//K81JfN1BwAQJ1I56A22EuuMlJp5fuWWZ+rDCg== From: Antonin Godard Date: Fri, 24 Apr 2026 10:28:44 +0200 Subject: [PATCH v2 16/18] migration-guides/migration-6.0.rst: mention python3-roman-numerals-py rename MIME-Version: 1.0 Message-Id: <20260424-third-release-notes-6-0-v2-16-4feacf138e13@bootlin.com> References: <20260424-third-release-notes-6-0-v2-0-4feacf138e13@bootlin.com> In-Reply-To: <20260424-third-release-notes-6-0-v2-0-4feacf138e13@bootlin.com> To: docs@lists.yoctoproject.org Cc: Thomas Petazzoni , Antonin Godard X-Mailer: b4 0.16-dev X-Developer-Signature: v=1; a=openpgp-sha256; l=969; i=antonin.godard@bootlin.com; h=from:subject:message-id; bh=erZjh4M0WyWUZqhUXROcLPvXmXLaozyQ45grFg6BM4s=; b=owEBbQKS/ZANAwAKAdGAQUApo6g2AcsmYgBp6ym/mjIiPLRiWlxRRg97TfebPS3FQoEPptuUu PdBt4qa5I+JAjMEAAEKAB0WIQSGSHJRiN1AG7mg0//RgEFAKaOoNgUCaespvwAKCRDRgEFAKaOo Nqm6D/9LYa2W9EVG9ALUNMXpfhUF1Ju1NdjBUVXaVr4iRZZJ6IkATAZpv5pQLV+Sm2ckpsDPmXG dwOTswjLuN3AUQAsDhCzdUORTt+71pFGJQFcCQetEIsigfj8UYQ/nJl8H8jYLscqzyT1ZKxuqCC mb1kIE3ogwiI+k4jx+h5g5+MSKSMyQC07qVjtE/2pP5ItmzAEAfwfiRUB3H92BFNI9zFELYL4jM 2VR5hjEuA7RMuQ7vZ66HppBpeQk5oZvN1N0uX5Jlb4gxgkjF+yQEb7bKucJ3V7b+NepodcL4rsy JVO5UyKX84ffZapSVqKdtWo7BwwI3xA2Fot/6+ov+9zUCUadWWNbfHWJDp0RCB76KnofA06g+v9 ewLDX7B5ay5lTDNPa6Dj1jWWlm1QamAp77kyB5dlsyP0jd4GsK/MXqlXeiHrGiwL3RekhRVrxNY ePRWZlQR+1eNZBWDntTmxmLQZh7avbT+M14eNhLHQ8MamzS3UWxfdu/UcmLSfVWcsvW+VXwqtZ8 N+b+v57cbmNsjfOYuNvfYIOE6cAekRPAsoBm8UpwenLeJ4pVT67nYdW/LYmBhS2Aeyz/TqM2Kwz IJ7vR7nckJyaa+y6oyldVZ3DQhVOQWC+v0jp/6ethhAi2jCxcfEN2x3SH9N9Rd+ck+mVVIlyabp gCffvP/InKm5XJg== X-Developer-Key: i=antonin.godard@bootlin.com; a=openpgp; fpr=8648725188DD401BB9A0D3FFD180414029A3A836 X-Last-TLS-Session-Version: TLSv1.3 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 24 Apr 2026 08:29:10 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/docs/message/9354 Following faff756e829b ("python3-roman-numerals-py: upgrade 3.1.0 -> 4.1.0") in OE-Core. Signed-off-by: Antonin Godard --- documentation/migration-guides/migration-6.0.rst | 3 +++ 1 file changed, 3 insertions(+) diff --git a/documentation/migration-guides/migration-6.0.rst b/documentation/migration-guides/migration-6.0.rst index ecb124a93..905d52fae 100644 --- a/documentation/migration-guides/migration-6.0.rst +++ b/documentation/migration-guides/migration-6.0.rst @@ -489,6 +489,9 @@ The following recipes have been removed in this release: ``cve-check`` class removal as it was the only user of these recipes. (:oecore_rev:`00de455f8d3aeca880129d23e8cfb7e246404699`) +- ``python3-roman-numerals-py``: renamed to ``python3-roman-numerals`` + (:oecore_rev:`faff756e829b852724ad706051d6a771071440cb`) + Removed :term:`PACKAGECONFIG` options ------------------------------------- From patchwork Fri Apr 24 08:28:45 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Antonin Godard X-Patchwork-Id: 86820 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 5AE03FC037F for ; Fri, 24 Apr 2026 08:29:10 +0000 (UTC) Received: from smtpout-03.galae.net (smtpout-03.galae.net [185.246.85.4]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.16701.1777019349674353697 for ; Fri, 24 Apr 2026 01:29:10 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: body hash did not verify" header.i=@bootlin.com header.s=dkim header.b=Qv6j+/lH; spf=pass (domain: bootlin.com, ip: 185.246.85.4, mailfrom: antonin.godard@bootlin.com) Received: from smtpout-01.galae.net (smtpout-01.galae.net [212.83.139.233]) by smtpout-03.galae.net (Postfix) with ESMTPS id 136EF4E42AE9 for ; Fri, 24 Apr 2026 08:29:08 +0000 (UTC) Received: from mail.galae.net (mail.galae.net [212.83.136.155]) by smtpout-01.galae.net (Postfix) with ESMTPS id DFE67604EB for ; Fri, 24 Apr 2026 08:29:07 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) by localhost (Mailerdaemon) with ESMTPSA id 651571072073B; Fri, 24 Apr 2026 10:29:06 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bootlin.com; s=dkim; t=1777019347; h=from:subject:date:message-id:to:cc:mime-version:content-type: content-transfer-encoding:in-reply-to:references; bh=En+EIQ2BRFxohLXyPHrb7J3tyKOiFua4khxVlLn7abA=; b=Qv6j+/lH5MHRqagmmZt/pk4ppzUrPZulfMg/RSYFj4coVZRWs8MNUuGkcGA/2FaqzYgDmf PfQn4n9lHRtpuyi40o++mhY/1Emdp7nvdi64tRMc6ZW/kz6uSx6CbocguCn1Pl9V8rHIk8 XnVlmQmUHQqa91i6aAGHsu7yQdJ0PSKAfLq0ON6h8bi4R0kNozMqJUcrvzAPOhb+3OGPg1 Rrmq3GGh/XDV5j3OrMNgaRTqmFfLbovKOtksqStxOCvm8w4Ob1eEwK1n+IdjrVFf79YoDl gBdfgwzDEcdVsjxRIX2ysIiuYdKxCDZ51fTv8gP2U9MUHyfzoXhfzHzl6psXDA== From: Antonin Godard Date: Fri, 24 Apr 2026 10:28:45 +0200 Subject: [PATCH v2 17/18] migration-guides/release-notes-6.0.rst: add contributors MIME-Version: 1.0 Message-Id: <20260424-third-release-notes-6-0-v2-17-4feacf138e13@bootlin.com> References: <20260424-third-release-notes-6-0-v2-0-4feacf138e13@bootlin.com> In-Reply-To: <20260424-third-release-notes-6-0-v2-0-4feacf138e13@bootlin.com> To: docs@lists.yoctoproject.org Cc: Thomas Petazzoni , Antonin Godard X-Mailer: b4 0.16-dev X-Developer-Signature: v=1; a=openpgp-sha256; l=4748; i=antonin.godard@bootlin.com; h=from:subject:message-id; bh=SNGoCKNKevnwcGZeeZSmyAQtuNm5hYqo4L9MFNwn80g=; b=owEBbQKS/ZANAwAKAdGAQUApo6g2AcsmYgBp6ynAlaCvm8Ex0/597i9pqzLNPlzo2puI6B54A u5/QfYCgyiJAjMEAAEKAB0WIQSGSHJRiN1AG7mg0//RgEFAKaOoNgUCaespwAAKCRDRgEFAKaOo NiShD/wMfGVi9XOBH20AGxAKGaY4vKiy8g9LbPwe00jq7HfvOrD3LScKjzum0dUNFgDa9W/3MaS vyrAfmoK7+4LAvP5ZbhkuT0aGEXZqjIrUTPqCGFzaZWMlO2JqvN8YELDbRcgcT5CmtQJMy0ijyA uqGvkXbNPJid0yO64xLmw8FvlvLWJhIQ70/WrG6x9GgcSIk6RYyWEVMqPPZ1PQ/c8rymOMvZ0Lx ztqiQY/8LEr8kpRb61tT1vNQU/NRcTyWHjebf+iRWmo1ZS7/gWbDMZPHAD8wzVoYy8CS2x/rpC5 4ykyB7/zoblstkLOZ3RQxzsreOk/3TVi0kfD9Fgk7vHQVrJe1+KbUmArZ+9ho8xxEw3pFk8cQrC 5Vup8Aat87wvwFA7DWHWlFXo4+flTWcCzD4a4fuK7obU++IBNoMtfjPhNxGriUFSjejEL1AqHg+ uoDOq8mqpLTeMcYZvvJyMkL0m3QzlmY0kC//x8fy8F0HxC5XioPcwGGEfgYGHQhAXOgqygVejw/ yOhcEXdkBpi4qokh/ByHmhe/jMzwrPq3KsFFRn4xJMOotE2DX07JDAUWruje/wluh34WymmAPjH CiTX6U9eWdn6xMCJlbmVuDwe/XruuohVn+0NPE2X9DCsXlW+DgDmAbwI4smjc1+AOdbNZN69pmV WhkhZ0a2zrmHmxw== X-Developer-Key: i=antonin.godard@bootlin.com; a=openpgp; fpr=8648725188DD401BB9A0D3FFD180414029A3A836 X-Last-TLS-Session-Version: TLSv1.3 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 24 Apr 2026 08:29:10 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/docs/message/9355 Signed-off-by: Antonin Godard --- .../migration-guides/release-notes-6.0.rst | 199 +++++++++++++++++++++ 1 file changed, 199 insertions(+) diff --git a/documentation/migration-guides/release-notes-6.0.rst b/documentation/migration-guides/release-notes-6.0.rst index 8f09223d0..f93075d7a 100644 --- a/documentation/migration-guides/release-notes-6.0.rst +++ b/documentation/migration-guides/release-notes-6.0.rst @@ -2020,7 +2020,206 @@ The following recipes have been upgraded: Contributors to |yocto-ver| --------------------------- +.. + List obtained with the following shell snippet: + + authors="" + for repo in openembedded-core yocto-docs bitbake meta-yocto; do + authors="${authors}\n$(git --no-pager -C $repo log --format="- %an" yocto-5.3..origin/master)" + done + echo $authors | sort | uniq + + Email addresses and duplicates removed. + Thanks to the following people who contributed to this release: +- Adam Blank +- Adam Duskett +- Adarsh Jagadish Kamini +- Aditya Kurdunkar +- Adrian Freihofer +- Ahmad Fatoum +- Alejandro Hernandez Samaniego +- Aleksandar Nikolic +- Alexander Kanavin +- Alexander Sverdlin +- Alex Bradbury +- Alex Kiernan +- Amaury Couderc +- Andrej Kozemcak +- Anibal Limon +- Ankur Tyagi +- Antonin Godard +- Ashish Kumar Mishra +- Ashish Sharma +- BELHADJ SALEM Talel +- Benjamin Robin +- Bruce Ashfield +- Changqing Li +- Chen Qi +- Clement Faure +- Colin Pinnell McAllister +- Corentin Guillevic +- Daiane Angolini +- Daniel Dragomir +- Daniel Turull +- Dan McGregor +- Deepesh Varatharajan +- Dmitry Baryshkov +- Dragomir, Daniel +- El Mehdi YOUNES +- Enrico Jörns +- Ernst Persson +- Etienne Cordonnier +- Fabio Berton +- Fabio Estevam +- Favazza, Samuele +- Florian Schmaus +- Francesco Valla +- Franz Schnyder +- Germann, Bastian +- Guðni Már Gilbert +- Gyorgy Sarvari +- Haiqing Bai +- Harish Sadineni +- Hemanth Kumar M D +- Het Patel +- Hiago De Franco +- Himanshu Jadon +- hongxu +- Hongxu Jia +- Jaeyoon Jung +- Jan Luebbe +- Jan Vermaete +- Jason Schonberg +- Javier Tia +- Jiaying Song +- Jinfeng Wang +- João Marcos Costa +- Jörg Sommer +- Jose Quaresma +- Joshua Watt +- Kai Kang +- Kamel Bouhara +- Kavinaya S +- Ken Kurematsu +- Khai Dang +- Khalifa Rouis +- Khem Raj +- Koen Kooi +- Kory Maincent +- Kristiyan Chakarov +- Krupal Ka Patel +- Lee Chee Yang +- Leon Anavi +- Le Qi +- Liu Yiding +- Livin Sunny +- Liyin Zhang +- Logan Gallois +- Louis Rannou +- Lucas Stach +- Luka Krstic +- Mahesh Angadi +- Mark Hatle +- Mark-Pk Tsai +- Markus Volk +- mark.yang +- Martin Jansa +- Martin Schwan +- Mathieu Dubois-Briand +- Matt Madison +- Maxin B. John +- Maxin John +- Max Krummenacher +- Miaoqing Pan +- Michael Arndt +- Michael Halstead +- Michael Opdenacker +- Michal Sieron +- Mikko Rapeli +- Ming Liu +- Mingli Yu +- Miroslav Cernak +- Mohammad Rafi Shaik +- Mohammad Rahimi +- Moritz Haase +- Naftaly RALAMBOARIVONY +- Naman Jain +- Nikhil R +- Niko Mauno +- Nora Schiffer +- Osama Abdelkader +- Patrick Vogelaar +- Patrick Wicki +- Paul Barker +- Pavel Löbl +- Peter Bergin +- Peter de Ridder +- Peter Kjellerstedt +- Peter Marko +- Peter Tatrai +- Philip Lorenz +- Pierre-Loup GOSSE +- Piotr Buliński +- Pratik Farkase +- Quentin Schulz +- Randolph Sapp +- Randy MacLeod +- Ricardo Salveti +- Ricardo Simoes +- Ricardo Ungerer +- Richard Purdie +- Robert Joslyn +- Robert P. J. Day +- Robert Yang +- Rob Woolley +- Ross Burton +- Rouven Rastetter +- Ryan Eatmon +- Sam Povilus +- Samuli Piippo +- Sandeep Gundlupet Raju +- Scott Murray +- Shaik Moin +- Shotaro Uchida +- Stefano Babic +- Stefano Tondo +- Sunil Dora +- sven.kalmbach +- Swami +- Telukula Jeevan Kumar Sahu +- Theo GAIGE +- Thomas Perrot +- Tim Orling +- Tom Geelen +- Trevor Gamblin +- Trevor Woerner +- Ulrich Ölmann +- Uwe Kleine-König +- Veeresh Kadasani +- Victor Kamensky +- Vijay Anusuri +- Viswanath Kraleti +- Vivek Puar +- Vyacheslav Yurkov +- Wang Mingyu +- Weisser, Pascal +- Xiangyu Chen +- Yanis BINARD +- Yann Dirson +- Yannic Moog +- Yash Gupta +- Yash Shinde +- Yasir Al-Latifi +- Yiding Liu +- Yi Zhao +- Yoann Congal +- Yongxin Liu +- Zhangfei Gao +- Zhang Peng +- Zk47T +- Zoltán Böszörményi + Repositories / Downloads for Yocto-|yocto-ver| ---------------------------------------------- From patchwork Fri Apr 24 08:28:46 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Antonin Godard X-Patchwork-Id: 86821 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 54D65FB44D9 for ; Fri, 24 Apr 2026 08:29:20 +0000 (UTC) Received: from smtpout-03.galae.net (smtpout-03.galae.net [185.246.85.4]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.16373.1777019350759222401 for ; Fri, 24 Apr 2026 01:29:11 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@bootlin.com header.s=dkim header.b=wS3ES4dU; spf=pass (domain: bootlin.com, ip: 185.246.85.4, mailfrom: antonin.godard@bootlin.com) Received: from smtpout-01.galae.net (smtpout-01.galae.net [212.83.139.233]) by smtpout-03.galae.net (Postfix) with ESMTPS id 2B2064E42AE6 for ; Fri, 24 Apr 2026 08:29:09 +0000 (UTC) Received: from mail.galae.net (mail.galae.net [212.83.136.155]) by smtpout-01.galae.net (Postfix) with ESMTPS id 02557604EB for ; Fri, 24 Apr 2026 08:29:09 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) by localhost (Mailerdaemon) with ESMTPSA id C0ACD10720746; Fri, 24 Apr 2026 10:29:07 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bootlin.com; s=dkim; t=1777019348; h=from:subject:date:message-id:to:cc:mime-version:content-type: content-transfer-encoding:in-reply-to:references; bh=z8e/uSBhY47keZiLZ9ALsP0zffIgLN5UAUpT5z5d0kY=; b=wS3ES4dU5DYxzzUCSf/DdYhq7bxmIEwVUodsUL2KJf0nwqjJK8MCaDDpPEY1LD4XGqbGPg ARyA3/79DSTccCxQW37HpSIR3HSAz+PGCCO7XgfOHUzo0x7Kqwk51Zlhi007alkzvO8T05 QJQPnCdQZseJ7yHfpOc7bfSpbHcavuFqQRVjTsIq8GbiGrixnbWB9peL0OxGrRjrQTu7rE WmjGiXq2MNqEa+vVr85tB5pEKrtZzyhdEV9AwviwxVjCZDCC5TGo79n51FveeUETzgXbsT 1mkhmqRsHbKbFXJeXEmSDsHuANK78fhugMcjbMXZvNfkaIvue3te5dM9LiBpgQ== From: Antonin Godard Date: Fri, 24 Apr 2026 10:28:46 +0200 Subject: [PATCH v2 18/18] ref-manual/variables: IMAGE_TYPES: add new wicenv type MIME-Version: 1.0 Message-Id: <20260424-third-release-notes-6-0-v2-18-4feacf138e13@bootlin.com> References: <20260424-third-release-notes-6-0-v2-0-4feacf138e13@bootlin.com> In-Reply-To: <20260424-third-release-notes-6-0-v2-0-4feacf138e13@bootlin.com> To: docs@lists.yoctoproject.org Cc: Thomas Petazzoni , Antonin Godard X-Mailer: b4 0.16-dev X-Developer-Signature: v=1; a=openpgp-sha256; l=778; i=antonin.godard@bootlin.com; h=from:subject:message-id; bh=u906dhXtcatO4ckxDik/0UMLjBvlTKmtaL85xi9b6LI=; b=owEBbQKS/ZANAwAKAdGAQUApo6g2AcsmYgBp6ynAP4OQQX5HWkjagyLcUjPlQQrCZBMCIcAIZ M771bPQdfKJAjMEAAEKAB0WIQSGSHJRiN1AG7mg0//RgEFAKaOoNgUCaespwAAKCRDRgEFAKaOo Nu0kD/0cEDjeltxSrcV80OzwRIloZwBJiQnflHQygZaU0HY0maKoKOoid28DqVQBOoJed9DgL7X pVbUDP1WLhB5jN+1dl7WCylThtlIA6DbPo+/E9V8dASyxZMnm13oJlGv/LoTjK3O7OMVYYgX5Q+ vIHOMcEi1v9d3WV66C9c2AtZzgnTVJyYsz7UDBYxh1anoCjaYXw4QqzKpau8G7W8g9xWIRadzAD lVBmub+fYQqP/jmZUHfkwxdwb/pxOeTv4tHVM17MLicMIRLhaMb16Yyx1XNL1L0wmy6H9QqolkQ hijsuU+qF/JxKtnQlPxasgduc9uxuvOwY0St9ZltfiirP5SS0wPHvBFFbB+obog6WxAhN3mrg/2 xEN8WD/iCTRLtxC4YxHYDmGvt8LZYozOirA++dZX9Fw5Qi81pYwSxhON2MMUb2Ha/zZukGp+5tT Bcvr6Q6Qo+u+s2x/tCfsDfv0ktM/Klkhos6qnxnL+ZRY4VvtmTmZ9EwkEEQt2tZTryRqjcbDEaL W50SYvYVFAj8XRiXs8fvSCP5UtpmLI440TTsxwzFoiOGbCUKEoCrQE1A5ysPMhSn4zzE7efW48R 4vmuXxu1zVgSYSz7bZABs7BxyAhjU7KzGUWUEJJTCgEcMLlpWAXfaNZXsBkA5UpWfSpaAkzQ/GX R5XZhuppItx0yfQ== X-Developer-Key: i=antonin.godard@bootlin.com; a=openpgp; fpr=8648725188DD401BB9A0D3FFD180414029A3A836 X-Last-TLS-Session-Version: TLSv1.3 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 24 Apr 2026 08:29:20 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/docs/message/9356 Added by commit e4d49702f21f ("image_types_wic: Introduce wicenv image type") in OE-Core. Signed-off-by: Antonin Godard --- documentation/ref-manual/variables.rst | 1 + 1 file changed, 1 insertion(+) diff --git a/documentation/ref-manual/variables.rst b/documentation/ref-manual/variables.rst index 4341e27fc..a8cbb87cf 100644 --- a/documentation/ref-manual/variables.rst +++ b/documentation/ref-manual/variables.rst @@ -4680,6 +4680,7 @@ system and gives an overview of their function and contents. - wic.gz - wic.lzma - wic.zst + - wicenv For more information about these types of images, see ``meta/classes-recipe/image_types*.bbclass`` in :term:`OpenEmbedded-Core