CycloneDX is an open source standard developed by the OWASP foundation.
It supports a wide range of development ecosystems, a comprehensive set
of use cases, and focuses on automation, ease of adoption, and
progressive enhancement of SBOMs (Software Bill Of Materials) throughout
build pipelines.
So lets add support for CycloneDX SBOM for packages and images
manifests.
Signed-off-by: Petr Štetiar <ynezz@true.cz>
(cherry picked from commit d604a07225)
There is no standard for ABI versioning, so its not possible to find out
from `libext2fs2`, `libiwinfo20230701` or `libss2` package names if
thats just package name or package name with ABI version included. To
help with the decision, lets make ABI version aviable in package index.
Signed-off-by: Petr Štetiar <ynezz@true.cz>
(cherry picked from commit 649655f427)
Common Platform Enumeration (CPE) is a structured naming scheme for
information technology systems, software, and packages.
In order for the information to be processed further, it should also be
available in JSON package manifests.
Signed-off-by: Petr Štetiar <ynezz@true.cz>
(cherry picked from commit 8562c65ff8)
Some packages may require additional group membership for the system
user added by that package. Allow defining additional groups as third
member of the ':'-separated tuple, allowing to specify multiple
','-separated groups with optional GID.
Example:
USERID:=foouser=1000:foogroup=1000:addg1=1001,addg2=1002,addg3
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Preparation for supporting dynamic ABI versions that depend on the runtime
configuration. Read the suffix from the staging dir pkginfo version files.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
By specifying "BROKEN := 1" or "BROKEN := y" for a device, it will be
hidden (and deselected) by default. By that, it provides a stronger
option to "disable" a device beyond just using DEFAULT := n.
To make these devices visible, just enable the BROKEN option in
developer settings as already implemented for targets and packages.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Allow overriding the default selection state for Devices, similar to
setting a default for packages.
E.g. by setting DEFAULT to n, they won't be selected by default anymore
when enabling all device in the multi device profile.
This allows preventing images being built by the default config for
known broken devices, devices without enough RAM/flash, or devices not
working with a certain kernel versions.
This does not prevent the devices from being manually selected or images
being built by the ImageBuilder. These devices often still have worth
with a reduced package-set, or as a device for regression testing, when
no better device is available.
Signed-off-by: Jonas Gorski <jonas.gorski@gmail.com>
If the target supports a newer kernel version that is not used by default
yet, it can be enabled with this option
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Having image metadata (and signature) appended is a condition for
semi-automated sysupgrade, hence IB needs to be able to tell which
images will end up with metadata.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Subdequent commits need this information to resolve the ABI version when
computing binary ipk dependencies.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
The need arises from building Open vSwitch kernel datapath modules, e.g.
- kmod-openvswitch from Linux upstream
- kmod-openvswitch-intree from openvswitch source code
where both provides virtual package "kmod-openvswitch" for userspace
packages to select and depend on
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
/lib/functions.sh can deal with Require-User specifications that only
contain a group, but no user. Adjust metadata.pm to allow such
specifications as well.
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
Package "features" seem to be unused for some time. In any case, custom
Config.in snippets and package PROVIDES are a much more flexible way to
express similar options.
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
Properly resolve build depends to source packages and runtime depends to
binary packages. Dependencies on virtual packages are resolved to the first
provider now.
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
Instead of adding virtual packages to the normal package list, keep a
separate list for provides, make each package provide itself, and resolve
all dependencies through this list. This allows to use PROVIDES to replace
existing packages.
Fixes FS#837.
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
This feature has been unused for years, and its scope is too limited to be
actually useful.
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
Every single reference to subdir was concatenated with the source package
name, so it makes sense to store the concatenated value instead.
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
We often want to access fields of a source packages through pkg->{src}.
Allow accessing them directly instead of resolving the source hash through
srcpackages.
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
All build dependencies are between source packages. Interating over source
rather than binary packages simplifies parts of the code and prepares
further improvement.
As a side effect, this changes the implicit default variant of a few
packages (the first defined is used now instead of the lexicographically
first).
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
Build types are a property of source rather than binary packages. This is a
preparation for followup cleanup.
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
Turn the srcpackage values into hashes to allow storing more information
than just binary package names.
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
The script will now detect uid/gid collision and can generate a table of
current allocation
./scripts/package-metadata.pl usergroup tmp/.packageinfo \
| sort -k 1,1r -k 3,3n \
| column -t
This should ensure that no collision will happen for each single build
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
Instead of ignoring all metadata for package/kernel/linux, process it
and only suppress emitting config data to tmp/.config-package.in
This ensures that packages that select kmod-* packages can inherit their
depdendencies.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
This is useful to just use the kmods from an official build while supplying
base packages from a custom feed or the other way around; for just overriding
the kmods with a local repo while using official repos for the rest.
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
SVN-Revision: 48475
With this change, override information is now parsed from the metadata
and put in the %packages hash. A new hash - %overrides - is created and
exported, to be used during the .config-package.in generation.
If an override is detected, a new option CONFIG_OVERRIDE_PKGS will be
created in the .config, and will contain a space-separated list of all
the overridden packages.
Signed-off-by: Mathieu Olivari <mathieu@qca.qualcomm.com>
SVN-Revision: 44336
Many packages define already metadata about their license (PKG_LICENSE),
but this is only included in the ipk files.
This change allows to create the information also on the build-host,
to get an overview on the used licenses.
In the full list, also all packages without this info are shown
Signed-off-by: Thomas Langer <thomas.langer@lantiq.com>
SVN-Revision: 43070
This changeset implements a new menuconfig option to generate separate
repositories for each enabled package feed instead of one monolithic one.
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
SVN-Revision: 42002