This platform has its own kernel defconfig in Buildroot, but we cannot
get quick idea about how much it diverged from the in-kernel defconfig.
Let's use the upstream arch/arm/config/versatile_defconfig as a base,
and maintain the diff as a merge-config fragment. The same .config is
still generated (based on the 5.10.7 kernel).
The diff is quite big, but this is a good start-point for cleanups.
Follow-up works can drop diff lines unless we find a good reason for
divergence.
Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
[Arnout: rename linux.config to linux.fragment]
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
This defconfig enables sunxi-mali-mainline-driver so we need to disable
Lima in Linux to prevent Mali to not load.
Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
This defconfig enables sunxi-mali-mainline-driver so we need to disable
Lima in Linux to prevent Mali to not load.
Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
This Linux defconfig fragment is needed to disable Lima driver in favour of
Mali(if enabled). This because Lima is enabled by default in Linux's
sunxi_defconfig and if we enable Mali driver in Buildroot it will fail to
load. So let's set CONFIG_DRM_LIMA=n. Of course this fragment is only used
by Buildroot defconfigs that enable Mali driver.
Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Select BR2_TARGET_UBOOT_NEEDS_OPENSSL to fix the following build
error:
include/image.h:1178:12: fatal error: openssl/evp.h: No such file or directory
1178 | # include <openssl/evp.h>
| ^~~~~~~~~~~~~~~
After the update of u-boot in commit 9a04bbec1c (configs/imx6slevk: bump
U-Boot).
Fixes:
- https://gitlab.com/buildroot.org/buildroot/-/jobs/1946650628
Signed-off-by: Fabio Estevam <festevam@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
In GCC6 the compiler was made smarter to omit the flag
-fdebug-prefix-map from the DWARF DW_AT_producer section[1]. That flag
contains the absolute path '$(BASE_DIR)' which breaks reproducibility.
Prior to GCC6 however, the only way to omit the flag is to use
-gno-record-gcc-switches which omits all flags.
[1] https://gcc.gnu.org/git/?p=gcc.git;a=commit;h=266cc0c181549c2fb6b50f8f26213cdc89101026
Signed-off-by: Brandon Maier <brandon.maier@rockwellcollins.com>
[Arnout: invert condition to ifeq (,) instead of ifneq (,y)]
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
In GCC8 the flag -ffile-prefix-map handles cleaning up both the __FILE__
macros and the debug info paths. In GCC7 or below we are manually
handling the __FILE__ macros, but not debug info paths. Use
-fdebug-prefix-map to clean them up. This option exists since GCC 4.3.0,
which is our minimal supported GCC version.
See for more detail: https://reproducible-builds.org/docs/build-path/
Signed-off-by: Brandon Maier <brandon.maier@rockwellcollins.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
libest is a C implementation of RFC 7030 (Enrollment over
Secure Transport).
It can be used to provision public key certificates from
a certificate authority (CA) or registration authority (RA)
to end-user devices and network infrastructure devices.
https://github.com/cisco/libest
Notes on patches included in this package:
- libest bundles a stubbed version of libsafec, and has no provision
to build against a system-installed full (non-stubbed) libsafec.
We add a patch to make that possible.
- Added a configuration option --{enable,disable}-examples to toggle
examples build by a separate patch.
- There's a configuration option `--enable-jni` which allows to build
a JNI library for binding libest to Java programs. And that library
would be using an outdated version of OpenSSL 1.0.
We fix that by adding support for OpenSSL 1.1 API for that library.
- Fixed a bug when specifying either `--enable-FEATURE` or `--disable-FEATURE`
has always been enabling the feature.
Signed-off-by: Aleksandr Makarov <aleksandr.o.makarov@gmail.com>
[Thomas:
- Added comments about the upstream status in existing patches
- Added a patch fixing an autoreconf issue
- Added a patch adding a missing "extern" on a variable to fix build
with gcc 10
- Removed the glibc dependency by using the new libexecinfo package
- Drastically simplified the complex libcoap disabling and client-only
mode vs. OpenJDK issue. libcoap support is now forcefully disabled,
and client-mode only option is made invisible when OpenJDK is
enabled.
- Fixed the license information;
- Added missing host-pkgconf
]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
GnuTls implements old, unsafe or unused protocols and cyphers
Secure embedded systems shall disable them in order to be certified.
This patch allows to select/deselect SSLv2 protocol and gost cipher.
Signed-off-by: Erwan GAUTRON <erwan.gautron@bertin.fr>
[Peter: default options to 'n', move next to _GNUTLS_TOOLS, explicit
--enable]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Agent is always enabled. Even though a server without agent is a valid
use case, the agent doesn't take much space compared to the server so
making it optional is not worth it.
Optional dependencies (openssl, libcurl, ...) are set globally, even
though they are supposedly only used for the server. However, this is
not so obvious from configure.ac so it's easy to accidentally miss one.
Setting them globally doesn't hurt.
The proxy, agent2 and webservice features are left disabled. agent2
requires go.
zabbix also has support for sqlite3 as database backend, but only for
the proxy, not for the server.
Signed-off-by: Alexey Lukyanchuk <skif@skif-web.ru>
[Arnout:
- BR2_TOOLCHAIN_USES_GLIBC implies the other glibc options.
- Fix wrapping in Config.in help text.
- Add upstream URL.
- Protect comments with "depends on" instead of "if".
- Select postgresl/mysql instead of depends (and propagate
dependencies).
- Remove redundant condition around
BR2_PACKAGE_ZABBIX_SERVER_COPY_DUMPS.
- Select PHP extensions instead of depends.
- Make optional dependencies automatic instead of Config.in.
- Improve some of the help texts.
- Bump to 5.4.9 and update hashes.
- Add COPYING as license file.
- Switch to actual upstream at zabbix.com.
- Explicitly disable all unused features.
- Disable zabbix user login with '*'.
- Don't add user to zabbix group twice.
- Do patch of zabbix_*.conf in post-patch hook and do it for all conf
files in one shot.
- Remove workarounds for pending patches (which were merged).
- Put web ui in /var/www/zabbix and SQL files in /var/lib/zabbix.
]
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
The current behavior for busybox' udhcpc is to terminate if no lease is
obtained at start up. Therefore no address is acquired if the link is
established afterwards.
By setting the -b flag udhcpc will background allowing the link to be
established at any time.
Signed-off-by: Lothar Felten <lothar.felten@gmail.com>
[Peter: drop incompatible -n, also fixup busybox-minimal.config]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Since commit ead2afda13, gettext is
wrongly disabled when BR2_SYSTEM_ENABLE_NLS is set
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
These packages needed to depend on host-python3 because their Scons
machinery was written in python3, but host-scons itself was depending
on host-python. Now that host-scons depends on host-python3, the
packages that use host-scons no longer have to carry a host-python3
dependency.
The other package using scons, mongodb, does not have a direct
dependency on host-python3, but on a number of host Python 3.x modules
which are needed during the build, so no changes is necessary there.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Back in commit
f72be49830 ("package/scons: remove
python from SCONS"), we changed the SCONS variable to not explicitly
invoke the Python interpreter, because some scons-based packages used
python2, some python3.
Now that the 3 remaining packages using scons (gpsd, mongodb and
benejson) all use python3, we can bring back the python3 interpreter
call into the SCONS variable, and slightly simplify those packages.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
All packages using scons are now using Python 3 to run it, so
explicitly set scons as using host-python3. This avoids a
spurious host Python 2 dependency if BR2_PACKAGE_PYTHON3 is not
set (for example, if no Python is packaged for the target).
Signed-off-by: Robert Hancock <hancock@sedsystems.ca>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Updated license hash and location of LICENSE.TXT due to upstream commit:
0606350c2a
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Use src/libfakekey.c as the license file because there is no COPYING in
the git tarball
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Drop second and third patches (already in version)
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Remove upstream patch
Fixes a build issue with toolchains using kernel headers < 5.6,
when the openat2(2) syscall is not available [2].
Add a new patch to fix homework-mount with linux-headers < 5.2.
[1] cd88d010e8
[2] https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=fddb5d430ad9fa91b49b1d34d0202ffe2fa0e179
Signed-off-by: Romain Naour <romain.naour@smile.fr>
Cc: Norbert Lange <nolange79@gmail.com>
Cc: Yann E. MORIN <yann.morin.1998@free.fr>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Back in commit e90a4bf4af ("alsa-lib:
don't use versioned symbols") from 2009, symbol versioning was
disabled in alsa-lib, because it was causing problems with C
libraries (such as uClibc) that doesn't support symbol versioning. The
thread at
http://mailman.alsa-project.org/pipermail/alsa-devel/2009-February/014999.html
has some background discussion about this.
Essentially, the issue was that alsa-lib in the new version of a given
symbol calls into an old version of the same symbol. If your C library
has symbol versioning, everything works fine. But if your C library
doesn't support symbol versioning, the call from the new symbol into
the old symbol will in fact end up in the new symbol, causing an
infinite recursion.
That problem was solved back then by unconditionally disabling symbol
versioning in alsa-lib.
However, some libraries such as CEF depend on versioned symbols from
alsa-lib, and the build fails during linking with versioning disabled.
This patch conditionally disables versioned symbols when unsupported
by the toolchain, leaving them enabled otherwise. We assume only glibc
has support for symbol versioning. uClibc has no support, and musl has
some limited support, so we take the safe route of only enabling
symbol versioning for glibc.
Signed-off-by: Joseph Kogut <joseph.kogut@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Fixes the following security issues:
- CVE-2021-41105: FreeSWITCH susceptible to Denial of Service via invalid
SRTP packets
When handling SRTP calls, FreeSWITCH is susceptible to a DoS where calls
can be terminated by remote attackers. This attack can be done
continuously, thus denying encrypted calls during the attack.
https://github.com/signalwire/freeswitch/security/advisories/GHSA-jh42-prph-gp36
- CVE-2021-41157: FreeSWITCH does not authenticate SIP SUBSCRIBE requests by default
By default, SIP requests of the type SUBSCRIBE are not authenticated in
the affected versions of FreeSWITCH.
https://github.com/signalwire/freeswitch/security/advisories/GHSA-g7xg-7c54-rmpj
- CVE-2021-37624: FreeSWITCH does not authenticate SIP MESSAGE requests,
leading to spam and message spoofing
By default, SIP requests of the type MESSAGE (RFC 3428) are not
authenticated in the affected versions of FreeSWITCH. MESSAGE requests
are relayed to SIP user agents registered with the FreeSWITCH server
without requiring any authentication. Although this behaviour can be
changed by setting the auth-messages parameter to true, it is not the
default setting.
https://github.com/signalwire/freeswitch/security/advisories/GHSA-mjcm-q9h8-9xv3
- CVE-2021-41145: FreeSWITCH susceptible to Denial of Service via SIP flooding
When flooding FreeSWITCH with SIP messages, it was observed that after a
number of seconds the process was killed by the operating system due to
memory exhaustion
https://github.com/signalwire/freeswitch/security/advisories/GHSA-jvpq-23v4-gp3m
- CVE-2021-41158: FreeSWITCH vulnerable to SIP digest leak for configured gateways
An attacker can perform a SIP digest leak attack against FreeSWITCH and
receive the challenge response of a gateway configured on the FreeSWITCH
server. This is done by challenging FreeSWITCH's SIP requests with the
realm set to that of the gateway, thus forcing FreeSWITCH to respond with
the challenge response which is based on the password of that targeted
gateway.
https://github.com/signalwire/freeswitch/security/advisories/GHSA-3v3f-99mv-qvj4
Release notes:
https://github.com/signalwire/freeswitch/releases/tag/v1.10.7
Removed patch, upstream applied a different fix:
e9fde845de
Added optional dependency to libks, needed due to upstream commit
ed98516666
Added upstream patches to fix build errors.
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
[Peter: mention security fixes]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Bump U-Boot to 2021.10 and kernel to 5.15.12 version.
Signed-off-by: Fabio Estevam <festevam@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
So far, cryptopp only had a host variant, but some use-cases require
this library on the target, so this adjusts the cryptopp package
accordingly.
One patch (submitted upstream) is needed to have the proper symlink
corresponding to the SONAME of the shared library.
Signed-off-by: Kamel Bouhara <kamel.bouhara@bootlin.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
prometheus remote write backend depends on protobuf and snappy and is
enabled by default since the addition of the package in commit
1d2bb46907
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
In order to build the numpy distutils extension packages like
python-scipy, python-numba, it requires an explicit pkg-config
path fixup for npymath.ini.
This pkg-config path fixup would update the prefix path of
npymath.ini with actual target staging area where numpy core
was built, so that numpy distutils extension packages would
explicitly link this config path for their package environment.
Without this extension packages cannot find -lnpymath since
it uses host libraries (like libnpymath.a).
So, attach the post install staging hook with pkg-config
path fixup for npymath.ini.
Signed-off-by: Esben Haabendal <esben@geanix.com>
Signed-off-by: Jagan Teki <jagan@amarulasolutions.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
The way that python-pybind can be used is fairly complicated, so a
runtime test for it is convenient. In addition, this test validates that
the headers actually work at runtime.
Signed-off-by: Guillaume W. Bres <guillaume.bressaix@gmail.com>
[Arnout:
- Retain python3 only.
- python-pybind is a target package, not host.
- Select python-pybind instead of depend.
- Simplify python-pybind-example package.
- Check in python-pybind-example build if pybind11.get_include()
produces output.
- Don't use python3 -m pybind11 --includes: it includes the main python
includes, which are for the host, not for the target.
- Use TestPythonPackageBase instead of open-coding something imported
with host python.
]
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
pybind11 is not really a Python module; it is actually a set of headers
that is used to wrap Python objects in C++.
Since pybind version 2.6.1, it uses CMake internally. This causes a
number of build issues for Buildroot because either no cmake is present
or it is too old.
pybind in fact has three parts: the C++ headers, a python module
pybind11, and the tests. The python package's only purpose is to serve
as a configure script for users of pybind. CMake is mainly used to build
and run the tests, which use the (mock-installed) pybind11 module to
find the (mock-installed) C++ headers. CMake is also used to install the
headers.
The setup.py script calls into CMake to install the headers and CMake
support files to a temporary directory, then copies that together with
the pybind11 module into the Python directory. The pybind11 module then
returns the include and cmake paths relative to its install location
(using __file__ to determine the install location).
This is not at all compatible with how Buildroot expects things to be
organised.
- The include and CMake files are installed somewhere within the Python
directories, where nobody will find them.
- The Python module is installed for the target, but at build time
Python modules are read from the host directory only. Therefore, a
user of pybind can't actually load the module.
To solve this, several options are possible:
- Treat pybind as a host package. This causes users of pybind to build
with an include path pointing into the host directory. This happens to
work because pybind is a header-only library and because it is
installed in a specific location which is not contaminated by other
headers. However, it is philosophically wrong - a build for the target
should never have an include path pointing to the host directory.
- Install pybind in the usual way into staging, and add a stub module to
the host directory that returns paths to the staging directory. This
leaves a useless pybind11 module in the staging directory, and puts
the headers and cmake files in an unusual location. In addition it
is not so simple - we need to jump through hoops to make sure that
cmake is called correctly when it goes through python-package.
- Install the headers and cmake files using CMake, and add a (stub)
python module in the host directory that points users to the staging
directory. This puts the headers in the usual place
(STAGING_DIR/usr/include) and still makes it possible to find them
from a python package at build time.
We choose the latter solution.
First of all, convert to cmake-package. This installs just the headers
and the cmake support files. We need to pass PYBIND11_NOPYTHON=ON
because there is a cmake module that tries to find the python binary. It
sometimes finds the system python, sometimes the host python. In either
case, it checks whether this python's bitness and endianness correspond
to that of the compiler - which generally it doesn't in
cross-compilation. PYBIND_NOPYTHON bypasses this check.
Install in staging and not in target. Before, it was installed to target
but the python module would point to the target directory so it worked
anyway; now, however, we can properly use the staging directory.
Since it is no longer a python-package, the python module is not
installed automatically. Install them manually in a post-staging-install
hook. Since the python module is supposed to be used at build time,
install it in the host directory rather than in staging.
The python module normally looks in its current directory to find the
include and cmake paths, but for cross-compilation this is wrong. Add a
non-upstreamable patch that checks for STAGING_DIR in the environment.
If it is set (which is the case in Buildroot), use that instead of the
current directory.
Add an explicit dependency on python3. The headers include Python.h, so
any user of pybind needs to implicitly depend on python3. While we're at
it, change it to support python3 only - even though pybind currently
still supports python2, adding support for it in Buildroot is a little
bit complicated and python2 will be removed soon anyway.
Cc: Esben Haabendal <esben@geanix.com>
Cc: Andreas Naumann <dev@andin.de>
Co-Developed-by: Jagan Teki <jagan@amarulasolutions.com>
Co-Developed-by: Guillaume W. Bres <guillaume.bressaix@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Fix the following uclibc build failure raised since bump to version
0.8.1 in commit 5dbdb2535c:
/home/buildroot/autobuild/instance-2/output-1/host/opt/ext-toolchain/bin/../lib/gcc/microblazeel-buildroot-linux-uclibc/10.3.0/../../../../microblazeel-buildroot-linux-uclibc/bin/ld: xxhash.o: in function `XXH3_hashLong_128b_internal.constprop.0':
(.text+0xcbc): undefined reference to `static_assert'
Fixes:
- http://autobuild.buildroot.org/results/559/5595b21a711b482b84e582fc9f56e5468c9eb6d6/build-end.log
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Disable execinfo to avoid the following build failure raised since the
addition of libexecinfo package in commit
eea8ba446c:
/home/giuliobenetti/autobuild/run/instance-0/output-1/host/lib/gcc/arc-buildroot-linux-uclibc/10.2.0/../../../../arc-buildroot-linux-uclibc/bin/ld: main.o: in function `do_panic(int)':
/home/giuliobenetti/autobuild/run/instance-0/output-1/build/rtorrent-0.9.8/src/main.cc:606: undefined reference to `backtrace'
Fixes:
- http://autobuild.buildroot.org/results/10fc9016013931c58238240216c5950b23b56b30
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
qpdf needs atomic since bump to version 10.5.0 in commit
b5352c2177 and
c5c1a028cd:
/home/buildroot/autobuild/instance-2/output-1/host/opt/ext-toolchain/m68k-buildroot-uclinux-uclibc/bin/ld.real: /home/buildroot/autobuild/instance-2/output-1/build/qpdf-10.5.0/libqpdf/build/.libs/libqpdf.a(QPDF.o): in function `QPDF::QPDF()':
QPDF.cc:(.text+0x48de): undefined reference to `__atomic_fetch_add_8'
Fixes:
- http://autobuild.buildroot.org/results/7e18689670dcbe491c35f0597e5c3c787936263f
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
By default, Avahi installs service definitions for SSH and SFTP, but
those might not be present on all systems. This commit adds an option
to control the installation of those Avahi services. Even though that
potentially breaks backward compatibility with older configuration, we
have chosen to make the option default to disable, which means that
now the SSH and SFTP avahi services are no longer installed by
default.
As there is no way to tell the Avahi package not to install the
service files in the first place, we have to manually remove them from
the target directory.
Signed-off-by: Florian Larysch <fl@n621.de>
[Thomas: make the option default to disabled, fix small formatting issues.]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
