wrynose: Backport master fixes

.github/workflows/backport.yaml

@@ -1,28 +1,21 @@
-name: Backport labeled merged pull requests
+name: Backport merged pull requests
 on:
   pull_request_target:
-    types: [closed]
+    types: [closed, labeled]
+
+permissions:
+  contents: write
+  pull-requests: write
+
 jobs:
-  build:
+  backport:
     name: Create backport PRs
     runs-on: ubuntu-latest
-    # Only run when pull request is merged
-    # or when a comment containing `/backport` is created
+    # Run on merged PRs that carry a 'backport <branch>' label, whether the
+    # label was added before the merge or afterwards.
     if: github.event.pull_request.merged
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v4
         with:
-          # Required to find all branches
           fetch-depth: 0
-      - name: Create backport PRs
-        # Should be kept in sync with `version`
-        uses: zeebe-io/backport-action@v0.0.4
-        with:
-          # Required
-          # Version of the backport-action
-          # Must equal the version in `uses`
-          # Recommended: latest tag or `master`
-          version: v0.0.4
-
-          github_token: ${{ secrets.GITHUB_TOKEN }}
-          github_workspace: ${{ github.workspace }}
+      - uses: korthout/backport-action@v4

.github/workflows/oelint.yaml

@@ -0,0 +1,25 @@
+name: OE Lint
+
+on:
+  pull_request:
+  merge_group:
+  push:
+    branches:
+      - master
+
+concurrency:
+  group: ${{ github.repository }}-${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  oelint:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: ossystems/nix-actions@v1
+        with:
+          install-nix: true
+          flake-check: false
+          build-hosts: false
+          build-devshells: false
+          devshell: github:OSSystems/yocto-env.nix#lint
+          run: ./contrib/oelint/run-oelint.sh

.oelint.cfg

@@ -0,0 +1,12 @@
+# oelint-adv defaults for this layer. Auto-loaded when oelint-adv runs with this
+# directory as the working directory (see contrib/oelint/run-oelint.sh).
+#
+# The only layer-wide suppression is oelint.var.bbclassextend: every recipe in
+# this layer is target-only, so the "add BBCLASSEXTEND" suggestion never applies
+# and would otherwise need a redundant inline comment on every single recipe.
+# All other exceptions stay inline as '# nooelint: <rule.id>' comments next to
+# the finding, so new recipes are always fully linted and each exception is
+# documented in place.
+[oelint]
+release = wrynose
+suppress = oelint.var.bbclassextend

README

@@ -14,14 +14,19 @@ revision: HEAD
 Contributing
 ------------
 
-To contribute to this layer you should submit the patches for review
-to our server at https://code.ossystems.com.br
+To contribute to this layer you should submit the pull requests
+on GitHub at https://github.com/OSSystemsEmbeddedLinux/meta-ossystems-base
 
 Please refer to:
-http://openembedded.org/wiki/Commit_Patch_Message_Guidelines
+https://docs.yoctoproject.org/contributor-guide/
 
 for some useful guidelines to be followed when submitting patches.
 
 Source code:
 
-    https://code.ossystems.com.br/gitweb?p=meta-ossystems-base.git
+    https://github.com/OSSystemsEmbeddedLinux/meta-ossystems-base
+
+Maintainer
+----------
+
+Otavio Salvador <otavio.salvador@ossystems.com.br>

SECURITY.md

@@ -0,0 +1,19 @@
+How to Report a Potential Vulnerability?
+========================================
+
+Confirmed or potential security vulnerabilities in the meta-ossystems-base layer should
+be submitted directly via the
+[Issues](https://github.com/OSSystemsEmbeddedLinux/meta-ossystems-base/issues) page.
+
+If you are dealing with a not-yet released or urgent issue, please send a
+message to the maintainer listed in the [README](README). Include as
+many details as possible:
+  - the layer or software module affected
+  - the recipe and its version
+  - any example code, if available
+
+Branches maintained with security fixes
+---------------------------------------
+
+See https://wiki.yoctoproject.org/wiki/Releases for the list of current
+releases. We only accept patches for the LTS releases and the master branch.

classes/cve-filter.bbclass

@@ -1,3 +1,4 @@
+# nooelint: oelint.bbclass.underscores oelint.file.inlinesuppress_na  no EXPORT_FUNCTIONS here, so the dash is harmless
 # Copyright (c) 2024 O.S. Systems Software LTDA.
 # Usage Instructions for the Yocto CVE Filter Class
 
@@ -18,7 +19,7 @@
 
 # The cve-filter class provides several configurable variables:
 
-# CVE_FILTER_PREVIOUS_FILE: Specifies the previous version of 
+# CVE_FILTER_PREVIOUS_FILE: Specifies the previous version of
 # the CVE JSON file. If no file is provided, only the current
 # file will be considered.
 # Default: empty
@@ -29,7 +30,7 @@
 # Example: "1.0.0"
 # Default: "0.0.0"
 
-# CVE_FILTER_MARKDOWN_FILE_NAME: Specifies the name of the 
+# CVE_FILTER_MARKDOWN_FILE_NAME: Specifies the name of the
 # output Markdown file containing the list of detected CVEs.
 # Default: "${IMAGE_NAME}.md"
 
@@ -96,10 +97,12 @@ python do_cve_filter (){
     bb.plain("DONE!!")
 }
 
+do_cve_filter[doc] = "Compare the image CVE report against a previous version and emit a filtered Markdown summary of the new CVEs."
 addtask cve_filter after do_rootfs before do_image
 
 ROOTFS_POSTPROCESS_COMMAND:prepend = "link_cvefilter_markdownfile; "
 
+link_cvefilter_markdownfile[doc] = "Create a stable-named symlink to the CVE filter Markdown report in the deploy directory."
 link_cvefilter_markdownfile () {
     ln -sf ${CVE_FILTER_MARKDOWN_FILE_NAME} ${IMGDEPLOYDIR}/${IMAGE_LINK_NAME}.md
 }

classes/deploy-license-manifest.bbclass

@@ -1,13 +1,16 @@
+# nooelint: oelint.bbclass.underscores oelint.file.inlinesuppress_na  no EXPORT_FUNCTIONS here, so the dash is harmless
 ROOTFS_POSTPROCESS_COMMAND += "deploy_license_manifest;"
 IMAGE_POSTPROCESS_COMMAND += "link_license_manifest;"
 
+deploy_license_manifest[doc] = "Copy the image license manifest into the deploy directory and generate a CSV variant."
 deploy_license_manifest () {
     if [ -e "${LICENSE_DIRECTORY}/${IMAGE_NAME}/license.manifest" ]; then
         cp ${LICENSE_DIRECTORY}/${IMAGE_NAME}/license.manifest ${IMGDEPLOYDIR}/${IMAGE_NAME}.license_manifest
         sed -n '/PACKAGE NAME/{: start; /^ *$/b done; /LICENSE:/{s/: /: "/; s/$/"/;}; s/^.*://; H; n; b start; : done; x; s/^[\n ]*//; s/ *\n */,/g; p}' ${IMGDEPLOYDIR}/${IMAGE_NAME}.license_manifest >${IMGDEPLOYDIR}/${IMAGE_NAME}.license_manifest.csv
     fi
 }
 
+link_license_manifest[doc] = "Create stable-named symlinks to the deployed license manifest and its CSV variant."
 link_license_manifest () {
     if [ -e "${IMGDEPLOYDIR}/${IMAGE_NAME}.license_manifest" ]; then
         ln -sf ${IMAGE_NAME}.license_manifest ${IMGDEPLOYDIR}/${IMAGE_LINK_NAME}.license_manifest

classes/easysplash-animation.bbclass

@@ -1,3 +1,4 @@
+# nooelint: oelint.bbclass.underscores oelint.file.inlinesuppress_na  no EXPORT_FUNCTIONS here, so the dash is harmless
 # -*- python -*-
 # easysplash-animation.bbclass allows for easy packaging of EasySplash
 # animation packages.

classes/image-license-checker.bbclass

@@ -1,3 +1,4 @@
+# nooelint: oelint.bbclass.underscores oelint.file.inlinesuppress_na  no EXPORT_FUNCTIONS here, so the dash is harmless
 # Copyright (c) 2018 Arm Limited and Contributors. All rights reserved.
 #
 # SPDX-License-Identifier: MIT
@@ -43,7 +44,6 @@
 IMAGE_LICENSE_CHECKER_ROOTFS_DENYLIST ?= ""
 IMAGE_LICENSE_CHECKER_NON_ROOTFS_DENYLIST ?= ""
 
-
 def bad_license(d, license, denylist):
     """
     Check if a license string is denylisted. The license string will be
@@ -134,9 +134,9 @@ python check_rootfs_licenses() {
     if bad_packages:
         bb.fatal("Packages have denylisted licenses: {}".format(", ".join(bad_packages)))
 }
+check_rootfs_licenses[doc] = "Fail the build if any package installed on the rootfs has a denylisted license."
 ROOTFS_POSTPROCESS_COMMAND:prepend = "check_rootfs_licenses; "
 
-
 python check_deploy_licenses() {
     """
     Check recipes that deploy files used in an image (e.g. U-Boot) for
@@ -153,4 +153,5 @@ python check_deploy_licenses() {
     if bad_recipes:
         bb.fatal("Deployed image dependencies have denylisted licenses: {}".format(", ".join(bad_recipes)))
 }
+check_deploy_licenses[doc] = "Fail the build if any recipe deploying files into the image has a denylisted license."
 IMAGE_POSTPROCESS_COMMAND:prepend = "check_deploy_licenses; "

classes/layerdirs.bbclass

@@ -10,6 +10,7 @@ def save_layerdirs(d):
         for layername in (l.getVar('BBFILE_COLLECTIONS', True) or '').split():
             d.setVar('LAYERDIR_%s' % layername, layerpath)
 
+cfg_save_layerdirs[doc] = "Record each layer's directory in LAYERDIR_<collection> at config-parse time."
 python cfg_save_layerdirs () {
     save_layerdirs(d)
 }

classes/mirrors.bbclass

@@ -1,21 +1,23 @@
+# nooelint: oelint.vars.bbvars.PREMIRRORS  set here on purpose: this is the project mirror class
 PREMIRRORS:append = " \
-git://sources.redhat.com/ git://sourceware.org/ \n\
+    git://sources.redhat.com/ git://sourceware.org/ \
 "
 
+# nooelint: oelint.vars.bbvars.MIRRORS  set here on purpose: this is the project mirror class
 MIRRORS += "\
-${KERNELORG_MIRROR}/ https://kernel.googlesource.com/ \n\
-${KERNELORG_MIRROR}/ http://mirror.nexcess.net/kernel.org/ \n\
-${KERNELORG_MIRROR}/ http://mirror.gbxs.net/pub/ \n\
-${APACHE_MIRROR}/ http://archive.apache.org/dist/ \n\
-${DEBIAN_MIRROR}/ ftp://archive.debian.org/debian/pool/ \n\
-git://git.kernel.org/pub/ http://mirror.nexcess.net/kernel.org/ \n\
-\
-(ftp|https?)://.*/.* http://autobuilder.yoctoproject.org/sources/ \n\
-(ftp|https?)://.*/.* http://sources.openembedded.org/ \n\
-(ftp|https?)://.*/.* http://www.angstrom-distribution.org/unstable/sources/ \n\
-\
-(cvs|svn|git|gitsm|hg|bzr|osc|p4|svk)://.*/.* http://downloads.yoctoproject.org/mirror/sources/ \n\
-(cvs|svn|git|gitsm|hg|bzr|osc|p4|svk)://.*/.* http://autobuilder.yoctoproject.org/sources/ \n\
-(cvs|svn|git|gitsm|hg|bzr|osc|p4|svk)://.*/.* http://sources.openembedded.org/ \n\
-(cvs|svn|git|gitsm|hg|bzr|osc|p4|svk)://.*/.* http://www.angstrom-distribution.org/unstable/sources/ \n\
+    ${KERNELORG_MIRROR}/ https://kernel.googlesource.com/ \
+    ${KERNELORG_MIRROR}/ http://mirror.nexcess.net/kernel.org/ \
+    ${KERNELORG_MIRROR}/ http://mirror.gbxs.net/pub/ \
+    ${APACHE_MIRROR}/ http://archive.apache.org/dist/ \
+    ${DEBIAN_MIRROR}/ ftp://archive.debian.org/debian/pool/ \
+    git://git.kernel.org/pub/ http://mirror.nexcess.net/kernel.org/ \
+    \
+    (ftp|https?)://.*/.* http://autobuilder.yoctoproject.org/sources/ \
+    (ftp|https?)://.*/.* http://sources.openembedded.org/ \
+    (ftp|https?)://.*/.* http://www.angstrom-distribution.org/unstable/sources/ \
+    \
+    (cvs|svn|git|gitsm|hg|bzr|osc|p4|svk)://.*/.* http://downloads.yoctoproject.org/mirror/sources/ \
+    (cvs|svn|git|gitsm|hg|bzr|osc|p4|svk)://.*/.* http://autobuilder.yoctoproject.org/sources/ \
+    (cvs|svn|git|gitsm|hg|bzr|osc|p4|svk)://.*/.* http://sources.openembedded.org/ \
+    (cvs|svn|git|gitsm|hg|bzr|osc|p4|svk)://.*/.* http://www.angstrom-distribution.org/unstable/sources/ \
 "

classes/ossystems-distro-version.bbclass

@@ -1,3 +1,4 @@
+# nooelint: oelint.bbclass.underscores oelint.file.inlinesuppress_na  no EXPORT_FUNCTIONS here, so the dash is harmless
 # -*- python -*-
 # ossystems-distro-version.bbclass provides a DISTRO_VERSION variable
 # that can be used to identify the release of a product.

classes/ossystems-factory-defaults-base.bbclass

@@ -1,3 +1,4 @@
+# nooelint: oelint.bbclass.underscores oelint.file.inlinesuppress_na  no EXPORT_FUNCTIONS here, so the dash is harmless
 OSSYSTEMS_FACTORY_DEFAULTS_DIR ?= "${datadir}/factory-defaults"
 OSSYSTEMS_FACTORY_DEFAULTS_FILES ?= ""
 OSSYSTEMS_FACTORY_DEFAULTS_HOOKS ?= ""

classes/ossystems-factory-defaults.bbclass

@@ -1,3 +1,4 @@
+# nooelint: oelint.bbclass.underscores oelint.file.inlinesuppress_na  no EXPORT_FUNCTIONS here, so the dash is harmless
 # Copyright (c) 2015-2020 O.S. Systems Software LTDA.
 #
 # The ossystems-factory-defaults class provides some variables that
@@ -32,6 +33,7 @@
 
 inherit ossystems-factory-defaults-base
 
+member[doc] = "Return success if the first argument is present in the remaining arguments."
 member() {
     elt=$1
     shift
@@ -65,7 +67,7 @@ do_install:append() {
     local dir
     for file in $no_leading_slash; do
         dir="${D}/`dirname $file`"
-        mkdir -p $dir
+        install -d $dir
         cd $dir
         ln -sf ${OSSYSTEMS_FACTORY_DEFAULTS_RUNTIME_DIR}/$file `basename $file`
     done

classes/ossystems-onsite-only-recipe-handler.bbclass

@@ -1,3 +1,4 @@
+# nooelint: oelint.bbclass.underscores oelint.file.inlinesuppress_na  no EXPORT_FUNCTIONS here, so the dash is harmless
 # -*- python -*-
 # ossystems-onsite-only-recipe-handler.bbclass
 # Copyright (C) 2015-2020 O.S. Systems Software Ltda. All Rights Reserved
@@ -43,11 +44,13 @@ def ossystems_onsite_only_recipe_check(d):
             raise bb.parse.SkipPackage("O.S. Systems OnSite-Only Recipes handler: recipe skipped.")
 
 addhandler ossystems_onsite_only_recipe_eventhandler
+ossystems_onsite_only_recipe_eventhandler[doc] = "Disable on-site-only recipes at ConfigParsed when building off-site."
 python ossystems_onsite_only_recipe_eventhandler() {
     if bb.event.getName(e) == "ConfigParsed":
         ossystems_onsite_only_recipe_handler(e.data)
 }
 
+# nooelint: oelint.task.noanonpython  required to SkipPackage per-recipe at parse time
 python () {
     ossystems_onsite_only_recipe_check(d)
 }

classes/ossystems-srcrev-handler.bbclass

@@ -1,3 +1,4 @@
+# nooelint: oelint.bbclass.underscores oelint.file.inlinesuppress_na  no EXPORT_FUNCTIONS here, so the dash is harmless
 # -*- python -*-
 # ossystems-srcrev-handler.bbclass
 # Copyright (C) 2013, 2014 O.S. Systems Software Ltda.  All Rights Reserved
@@ -52,6 +53,7 @@ def ossystems_srcrev_handler(d):
             d.setVar("SRCREV:pn-%s" % pkg, rev)
 
 addhandler ossystems_srcrev_eventhandler
+ossystems_srcrev_eventhandler[doc] = "Apply the project per-recipe SRCREV overrides at ConfigParsed."
 python ossystems_srcrev_eventhandler() {
     if bb.event.getName(e) == "ConfigParsed":
         ossystems_srcrev_handler(e.data)