[OE-core][walnascar 0/3] Patch review

[OE-core][walnascar 0/3] Patch review

[Steve Sakoman]

Please review this set of changes for walnascar and have comments back by
end of day Thursday, August 14

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/valkyrie/#/builders/29/builds/2180

The following changes since commit 69090e41eb0a8b92e0684d391966f9627bfe5195:

  ca-certificates: correct the SRC_URI (2025-08-07 12:35:30 -0700)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/walnascar-nut
  https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/walnascar-nut

Khem Raj (2):
  glibc: Forward -ffile-prefix-map option to assembler flags
  bitbake.conf: Switch prefix mapping to use -ffile-prefix-map

Peter Marko (1):
  dropbear: patch CVE-2025-47203

 meta/classes-recipe/kernel-arch.bbclass       |   6 +-
 meta/conf/bitbake.conf                        |  14 +-
 meta/lib/oe/package.py                        |   2 +-
 .../dropbear/dropbear/CVE-2025-47203.patch    | 373 ++++++++++++++++++
 .../recipes-core/dropbear/dropbear_2024.86.bb |   1 +
 ...le-prefix-map-from-CFLAGS-to-ASFLAGS.patch |  24 ++
 meta/recipes-core/glibc/glibc_2.41.bb         |   1 +
 meta/recipes-devtools/gcc/libgfortran.inc     |   2 +-
 .../python/python3-maturin_1.8.3.bb           |   2 +-
 meta/recipes-devtools/rust/cargo_1.84.1.bb    |   2 +-
 10 files changed, 410 insertions(+), 17 deletions(-)
 create mode 100644 meta/recipes-core/dropbear/dropbear/CVE-2025-47203.patch
 create mode 100644 meta/recipes-core/glibc/glibc/0001-Propagate-ffile-prefix-map-from-CFLAGS-to-ASFLAGS.patch

-- 
2.43.0

[OE-core][walnascar 1/3] dropbear: patch CVE-2025-47203

[Steve Sakoman]

From: Peter Marko <peter.marko@siemens.com>

Pick patch per Debian security page [1].

[1] https://security-tracker.debian.org/tracker/CVE-2025-47203

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../dropbear/dropbear/CVE-2025-47203.patch    | 373 ++++++++++++++++++
 .../recipes-core/dropbear/dropbear_2024.86.bb |   1 +
 2 files changed, 374 insertions(+)
 create mode 100644 meta/recipes-core/dropbear/dropbear/CVE-2025-47203.patch

diff --git a/meta/recipes-core/dropbear/dropbear/CVE-2025-47203.patch b/meta/recipes-core/dropbear/dropbear/CVE-2025-47203.patch
new file mode 100644
index 0000000000..9ce0f10588
--- /dev/null
+++ b/meta/recipes-core/dropbear/dropbear/CVE-2025-47203.patch
@@ -0,0 +1,373 @@
+From e5a0ef27c227f7ae69d9a9fec98a056494409b9b Mon Sep 17 00:00:00 2001
+From: Matt Johnston <matt@ucc.asn.au>
+Date: Mon, 5 May 2025 23:14:19 +0800
+Subject: [PATCH] Execute multihop commands directly, no shell
+
+This avoids problems with shell escaping if arguments contain special
+characters.
+
+CVE: CVE-2025-47203
+Upstream-Status: Backport [https://github.com/mkj/dropbear/commit/e5a0ef27c227f7ae69d9a9fec98a056494409b9b]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ src/cli-main.c    |  59 +++++++++++++++++---------
+ src/cli-runopts.c | 104 ++++++++++++++++++++++++++++------------------
+ src/dbutil.c      |   9 +++-
+ src/dbutil.h      |   1 +
+ src/runopts.h     |   5 +++
+ 5 files changed, 117 insertions(+), 61 deletions(-)
+
+diff --git a/src/cli-main.c b/src/cli-main.c
+index 065fd76..2fafa88 100644
+--- a/src/cli-main.c
++++ b/src/cli-main.c
+@@ -77,9 +77,8 @@ int main(int argc, char ** argv) {
+ 	}
+ 
+ #if DROPBEAR_CLI_PROXYCMD
+-	if (cli_opts.proxycmd) {
++	if (cli_opts.proxycmd || cli_opts.proxyexec) {
+ 		cli_proxy_cmd(&sock_in, &sock_out, &proxy_cmd_pid);
+-		m_free(cli_opts.proxycmd);
+ 		if (signal(SIGINT, kill_proxy_sighandler) == SIG_ERR ||
+ 			signal(SIGTERM, kill_proxy_sighandler) == SIG_ERR ||
+ 			signal(SIGHUP, kill_proxy_sighandler) == SIG_ERR) {
+@@ -101,7 +100,8 @@ int main(int argc, char ** argv) {
+ }
+ #endif /* DBMULTI stuff */
+ 
+-static void exec_proxy_cmd(const void *user_data_cmd) {
++#if DROPBEAR_CLI_PROXYCMD
++static void shell_proxy_cmd(const void *user_data_cmd) {
+ 	const char *cmd = user_data_cmd;
+ 	char *usershell;
+ 
+@@ -110,41 +110,62 @@ static void exec_proxy_cmd(const void *user_data_cmd) {
+ 	dropbear_exit("Failed to run '%s'\n", cmd);
+ }
+ 
+-#if DROPBEAR_CLI_PROXYCMD
++static void exec_proxy_cmd(const void *unused) {
++	(void)unused;
++	run_command(cli_opts.proxyexec[0], cli_opts.proxyexec, ses.maxfd);
++	dropbear_exit("Failed to run '%s'\n", cli_opts.proxyexec[0]);
++}
++
+ static void cli_proxy_cmd(int *sock_in, int *sock_out, pid_t *pid_out) {
+-	char * ex_cmd = NULL;
+-	size_t ex_cmdlen;
++	char * cmd_arg = NULL;
++	void (*exec_fn)(const void *user_data) = NULL;
+ 	int ret;
+ 
++	/* exactly one of cli_opts.proxycmd or cli_opts.proxyexec should be set */
++
+ 	/* File descriptor "-j &3" */
+-	if (*cli_opts.proxycmd == '&') {
++	if (cli_opts.proxycmd && *cli_opts.proxycmd == '&') {
+ 		char *p = cli_opts.proxycmd + 1;
+ 		int sock = strtoul(p, &p, 10);
+ 		/* must be a single number, and not stdin/stdout/stderr */
+ 		if (sock > 2 && sock < 1024 && *p == '\0') {
+ 			*sock_in = sock;
+ 			*sock_out = sock;
+-			return;
++			goto cleanup;
+ 		}
+ 	}
+ 
+-	/* Normal proxycommand */
++	if (cli_opts.proxycmd) {
++		/* Normal proxycommand */
++		size_t shell_cmdlen;
++		/* So that spawn_command knows which shell to run */
++		fill_passwd(cli_opts.own_user);
+ 
+-	/* So that spawn_command knows which shell to run */
+-	fill_passwd(cli_opts.own_user);
++		shell_cmdlen = strlen(cli_opts.proxycmd) + 6; /* "exec " + command + '\0' */
++		cmd_arg = m_malloc(shell_cmdlen);
++		snprintf(cmd_arg, shell_cmdlen, "exec %s", cli_opts.proxycmd);
++		exec_fn = shell_proxy_cmd;
++	} else {
++		/* No shell */
++		exec_fn = exec_proxy_cmd;
++	}
+ 
+-	ex_cmdlen = strlen(cli_opts.proxycmd) + 6; /* "exec " + command + '\0' */
+-	ex_cmd = m_malloc(ex_cmdlen);
+-	snprintf(ex_cmd, ex_cmdlen, "exec %s", cli_opts.proxycmd);
+-
+-	ret = spawn_command(exec_proxy_cmd, ex_cmd,
+-			sock_out, sock_in, NULL, pid_out);
+-	DEBUG1(("cmd: %s  pid=%d", ex_cmd,*pid_out))
+-	m_free(ex_cmd);
++	ret = spawn_command(exec_fn, cmd_arg, sock_out, sock_in, NULL, pid_out);
+ 	if (ret == DROPBEAR_FAILURE) {
+ 		dropbear_exit("Failed running proxy command");
+ 		*sock_in = *sock_out = -1;
+ 	}
++
++cleanup:
++	m_free(cli_opts.proxycmd);
++	m_free(cmd_arg);
++	if (cli_opts.proxyexec) {
++		char **a = NULL;
++		for (a = cli_opts.proxyexec; *a; a++) {
++			m_free_direct(*a);
++		}
++		m_free(cli_opts.proxyexec);
++	}
+ }
+ 
+ static void kill_proxy_sighandler(int UNUSED(signo)) {
+diff --git a/src/cli-runopts.c b/src/cli-runopts.c
+index b664293..a21b7a2 100644
+--- a/src/cli-runopts.c
++++ b/src/cli-runopts.c
+@@ -556,62 +556,88 @@ void loadidentityfile(const char* filename, int warnfail) {
+ 
+ /* Fill out -i, -y, -W options that make sense for all
+  * the intermediate processes */
+-static char* multihop_passthrough_args(void) {
+-	char *args = NULL;
+-	unsigned int len, total;
++static char** multihop_args(const char* argv0, const char* prior_hops) {
++	/* null terminated array */
++	char **args = NULL;
++	size_t max_args = 14, pos = 0, len;
+ #if DROPBEAR_CLI_PUBKEY_AUTH
+ 	m_list_elem *iter;
+ #endif
+-	/* Sufficient space for non-string args */
+-	len = 100;
+ 
+-	/* String arguments have arbitrary length, so determine space required */
+-	if (cli_opts.proxycmd) {
+-		len += strlen(cli_opts.proxycmd);
+-	}
+ #if DROPBEAR_CLI_PUBKEY_AUTH
+ 	for (iter = cli_opts.privkeys->first; iter; iter = iter->next)
+ 	{
+-		sign_key * key = (sign_key*)iter->item;
+-		len += 4 + strlen(key->filename);
++		/* "-i file" for each */
++		max_args += 2;
+ 	}
+ #endif
+ 
+-	args = m_malloc(len);
+-	total = 0;
++	args = m_malloc(sizeof(char*) * max_args);
++	pos = 0;
+ 
+-	/* Create new argument string */
++	args[pos] = m_strdup(argv0);
++	pos++;
+ 
+ 	if (cli_opts.quiet) {
+-		total += m_snprintf(args+total, len-total, "-q ");
++		args[pos] = m_strdup("-q");
++		pos++;
+ 	}
+ 
+ 	if (cli_opts.no_hostkey_check) {
+-		total += m_snprintf(args+total, len-total, "-y -y ");
++		args[pos] = m_strdup("-y");
++		pos++;
++		args[pos] = m_strdup("-y");
++		pos++;
+ 	} else if (cli_opts.always_accept_key) {
+-		total += m_snprintf(args+total, len-total, "-y ");
++		args[pos] = m_strdup("-y");
++		pos++;
+ 	}
+ 
+ 	if (cli_opts.batch_mode) {
+-		total += m_snprintf(args+total, len-total, "-o BatchMode=yes ");
++		args[pos] = m_strdup("-o");
++		pos++;
++		args[pos] = m_strdup("BatchMode=yes");
++		pos++;
+ 	}
+ 
+ 	if (cli_opts.proxycmd) {
+-		total += m_snprintf(args+total, len-total, "-J '%s' ", cli_opts.proxycmd);
++		args[pos] = m_strdup("-J");
++		pos++;
++		args[pos] = m_strdup(cli_opts.proxycmd);
++		pos++;
+ 	}
+ 
+ 	if (opts.recv_window != DEFAULT_RECV_WINDOW) {
+-		total += m_snprintf(args+total, len-total, "-W %u ", opts.recv_window);
++		args[pos] = m_strdup("-W");
++		pos++;
++		args[pos] = m_malloc(11);
++		m_snprintf(args[pos], 11, "%u", opts.recv_window);
++		pos++;
+ 	}
+ 
+ #if DROPBEAR_CLI_PUBKEY_AUTH
+ 	for (iter = cli_opts.privkeys->first; iter; iter = iter->next)
+ 	{
+ 		sign_key * key = (sign_key*)iter->item;
+-		total += m_snprintf(args+total, len-total, "-i %s ", key->filename);
++		args[pos] = m_strdup("-i");
++		pos++;
++		args[pos] = m_strdup(key->filename);
++		pos++;
+ 	}
+ #endif /* DROPBEAR_CLI_PUBKEY_AUTH */
+ 
++	/* last hop */
++	args[pos] = m_strdup("-B");
++	pos++;
++	len = strlen(cli_opts.remotehost) + strlen(cli_opts.remoteport) + 2;
++	args[pos] = m_malloc(len);
++	snprintf(args[pos], len, "%s:%s", cli_opts.remotehost, cli_opts.remoteport);
++	pos++;
++
++	/* hostnames of prior hops */
++	args[pos] = m_strdup(prior_hops);
++	pos++;
++
+ 	return args;
+ }
+ 
+@@ -626,7 +652,7 @@ static char* multihop_passthrough_args(void) {
+  * etc for as many hosts as we want.
+  *
+  * Note that "-J" arguments aren't actually used, instead
+- * below sets cli_opts.proxycmd directly.
++ * below sets cli_opts.proxyexec directly.
+  *
+  * Ports for hosts can be specified as host/port.
+  */
+@@ -634,7 +660,7 @@ static void parse_multihop_hostname(const char* orighostarg, const char* argv0)
+ 	char *userhostarg = NULL;
+ 	char *hostbuf = NULL;
+ 	char *last_hop = NULL;
+-	char *remainder = NULL;
++	char *prior_hops = NULL;
+ 
+ 	/* both scp and rsync parse a user@host argument
+ 	 * and turn it into "-l user host". This breaks
+@@ -652,6 +678,8 @@ static void parse_multihop_hostname(const char* orighostarg, const char* argv0)
+ 	}
+ 	userhostarg = hostbuf;
+ 
++	/* Split off any last hostname and use that as remotehost/remoteport.
++	 * That is used for authorized_keys checking etc */
+ 	last_hop = strrchr(userhostarg, ',');
+ 	if (last_hop) {
+ 		if (last_hop == userhostarg) {
+@@ -659,32 +687,28 @@ static void parse_multihop_hostname(const char* orighostarg, const char* argv0)
+ 		}
+ 		*last_hop = '\0';
+ 		last_hop++;
+-		remainder = userhostarg;
++		prior_hops = userhostarg;
+ 		userhostarg = last_hop;
+ 	}
+ 
++	/* Update cli_opts.remotehost and cli_opts.remoteport */
+ 	parse_hostname(userhostarg);
+ 
+-	if (last_hop) {
+-		/* Set up the proxycmd */
+-		unsigned int cmd_len = 0;
+-		char *passthrough_args = multihop_passthrough_args();
+-		cmd_len = strlen(argv0) + strlen(remainder)
+-			+ strlen(cli_opts.remotehost) + strlen(cli_opts.remoteport)
+-			+ strlen(passthrough_args)
+-			+ 30;
+-		/* replace proxycmd. old -J arguments have been copied
+-		   to passthrough_args */
+-		cli_opts.proxycmd = m_realloc(cli_opts.proxycmd, cmd_len);
+-		m_snprintf(cli_opts.proxycmd, cmd_len, "%s -B %s:%s %s %s",
+-				argv0, cli_opts.remotehost, cli_opts.remoteport,
+-				passthrough_args, remainder);
++	/* Construct any multihop proxy command. Use proxyexec to
++	 * avoid worrying about shell escaping. */
++	if (prior_hops) {
++		cli_opts.proxyexec = multihop_args(argv0, prior_hops);
++		/* Any -J argument has been copied to proxyexec */
++		if (cli_opts.proxycmd) {
++			m_free(cli_opts.proxycmd);
++		}
++
+ #ifndef DISABLE_ZLIB
+-		/* The stream will be incompressible since it's encrypted. */
++		/* This outer stream will be incompressible since it's encrypted. */
+ 		opts.compress_mode = DROPBEAR_COMPRESS_OFF;
+ #endif
+-		m_free(passthrough_args);
+ 	}
++
+ 	m_free(hostbuf);
+ }
+ #endif /* DROPBEAR_CLI_MULTIHOP */
+diff --git a/src/dbutil.c b/src/dbutil.c
+index 2b44921..a70025e 100644
+--- a/src/dbutil.c
++++ b/src/dbutil.c
+@@ -371,7 +371,6 @@ int spawn_command(void(*exec_fn)(const void *user_data), const void *exec_data,
+ void run_shell_command(const char* cmd, unsigned int maxfd, char* usershell) {
+ 	char * argv[4];
+ 	char * baseshell = NULL;
+-	unsigned int i;
+ 
+ 	baseshell = basename(usershell);
+ 
+@@ -393,6 +392,12 @@ void run_shell_command(const char* cmd, unsigned int maxfd, char* usershell) {
+ 		argv[1] = NULL;
+ 	}
+ 
++	run_command(usershell, argv, maxfd);
++}
++
++void run_command(const char* argv0, char** args, unsigned int maxfd) {
++	unsigned int i;
++
+ 	/* Re-enable SIGPIPE for the executed process */
+ 	if (signal(SIGPIPE, SIG_DFL) == SIG_ERR) {
+ 		dropbear_exit("signal() error");
+@@ -404,7 +409,7 @@ void run_shell_command(const char* cmd, unsigned int maxfd, char* usershell) {
+ 		m_close(i);
+ 	}
+ 
+-	execv(usershell, argv);
++	execv(argv0, args);
+ }
+ 
+ #if DEBUG_TRACE
+diff --git a/src/dbutil.h b/src/dbutil.h
+index 05fc50c..bfbed73 100644
+--- a/src/dbutil.h
++++ b/src/dbutil.h
+@@ -63,6 +63,7 @@ char * stripcontrol(const char * text);
+ int spawn_command(void(*exec_fn)(const void *user_data), const void *exec_data,
+ 		int *writefd, int *readfd, int *errfd, pid_t *pid);
+ void run_shell_command(const char* cmd, unsigned int maxfd, char* usershell);
++void run_command(const char* argv0, char** args, unsigned int maxfd);
+ #if ENABLE_CONNECT_UNIX
+ int connect_unix(const char* addr);
+ #endif
+diff --git a/src/runopts.h b/src/runopts.h
+index c4061a0..f255882 100644
+--- a/src/runopts.h
++++ b/src/runopts.h
+@@ -197,7 +197,12 @@ typedef struct cli_runopts {
+ 	unsigned int netcat_port;
+ #endif
+ #if DROPBEAR_CLI_PROXYCMD
++	/* A proxy command to run via the user's shell */
+ 	char *proxycmd;
++#endif
++#if DROPBEAR_CLI_MULTIHOP
++	/* Similar to proxycmd, but is arguments for execve(), not shell */
++	char **proxyexec;
+ #endif
+ 	const char *bind_arg;
+ 	char *bind_address;
diff --git a/meta/recipes-core/dropbear/dropbear_2024.86.bb b/meta/recipes-core/dropbear/dropbear_2024.86.bb
index be246a0ccd..10b7cb5c03 100644
--- a/meta/recipes-core/dropbear/dropbear_2024.86.bb
+++ b/meta/recipes-core/dropbear/dropbear_2024.86.bb
@@ -21,6 +21,7 @@ SRC_URI = "http://matt.ucc.asn.au/dropbear/releases/dropbear-${PV}.tar.bz2 \
            file://dropbear.default \
            ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)} \
            ${@bb.utils.contains('PACKAGECONFIG', 'disable-weak-ciphers', 'file://dropbear-disable-weak-ciphers.patch', '', d)} \
+           file://CVE-2025-47203.patch \
            "
 
 SRC_URI[sha256sum] = "e78936dffc395f2e0db099321d6be659190966b99712b55c530dd0a1822e0a5e"
-- 
2.43.0

[OE-core][walnascar 2/3] glibc: Forward -ffile-prefix-map option to assembler flags

[Steve Sakoman]

From: Khem Raj <raj.khem@gmail.com>

(From OE-Core rev: a85cccc80aa7e6d6a5850c2d730cba5e1cb60cb3)

Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Deepesh Varatharajan <Deepesh.Varatharajan@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 ...le-prefix-map-from-CFLAGS-to-ASFLAGS.patch | 24 +++++++++++++++++++
 meta/recipes-core/glibc/glibc_2.41.bb         |  1 +
 2 files changed, 25 insertions(+)
 create mode 100644 meta/recipes-core/glibc/glibc/0001-Propagate-ffile-prefix-map-from-CFLAGS-to-ASFLAGS.patch

diff --git a/meta/recipes-core/glibc/glibc/0001-Propagate-ffile-prefix-map-from-CFLAGS-to-ASFLAGS.patch b/meta/recipes-core/glibc/glibc/0001-Propagate-ffile-prefix-map-from-CFLAGS-to-ASFLAGS.patch
new file mode 100644
index 0000000000..96140c625b
--- /dev/null
+++ b/meta/recipes-core/glibc/glibc/0001-Propagate-ffile-prefix-map-from-CFLAGS-to-ASFLAGS.patch
@@ -0,0 +1,24 @@
+From 603e50d6b8ccadb32d59b0497f76629665c1794b Mon Sep 17 00:00:00 2001
+From: Khem Raj <raj.khem@gmail.com>
+Date: Wed, 16 Apr 2025 19:51:01 -0700
+Subject: [PATCH] Propagate -ffile-prefix-map from CFLAGS to ASFLAGS.
+
+Upstream-Status: Submitted [https://sourceware.org/pipermail/libc-alpha/2025-April/165969.html]
+Signed-off-by: Khem Raj <raj.khem@gmail.com>
+Signed-off-by: Deepesh Varatharajan <Deepesh.Varatharajan@windriver.com>
+---
+ Makeconfig | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/Makeconfig b/Makeconfig
+index e35c5cfe4e..7a19c731c6 100644
+--- a/Makeconfig
++++ b/Makeconfig
+@@ -1176,7 +1176,7 @@ endif
+ 
+ # The assembler can generate debug information too.
+ ifndef ASFLAGS
+-ASFLAGS := $(filter -g% -fdebug-prefix-map=%,$(CFLAGS))
++ASFLAGS := $(filter -g% -fdebug-prefix-map=% -ffile-prefix-map=%,$(CFLAGS))
+ endif
+ override ASFLAGS += -Werror=undef $(ASFLAGS-config) $(asflags-cpu)
diff --git a/meta/recipes-core/glibc/glibc_2.41.bb b/meta/recipes-core/glibc/glibc_2.41.bb
index 8a65e8ce9f..e770c3e275 100644
--- a/meta/recipes-core/glibc/glibc_2.41.bb
+++ b/meta/recipes-core/glibc/glibc_2.41.bb
@@ -54,6 +54,7 @@ SRC_URI =  "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \
            file://0022-Avoid-hardcoded-build-time-paths-in-the-output-binar.patch \
            file://0023-tests-Skip-2-qemu-tests-that-can-hang-in-oe-selftest.patch \
            file://0001-stdlib-Add-single-threaded-fast-path-to-rand.patch \
+           file://0001-Propagate-ffile-prefix-map-from-CFLAGS-to-ASFLAGS.patch \
 "
 S = "${WORKDIR}/git"
 B = "${WORKDIR}/build-${TARGET_SYS}"
-- 
2.43.0

[OE-core][walnascar 3/3] bitbake.conf: Switch prefix mapping to use -ffile-prefix-map

[Steve Sakoman]

From: Khem Raj <raj.khem@gmail.com>

-ffile-prefix map is more comprehensive when it comes to reproducible
builds and its superset of all prefix-mapping options in compilers

(From OE-Core rev: ff73fa7ef7666a6dbe34f15515bc3ab6e574c5b0)

Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Deepesh Varatharajan <Deepesh.Varatharajan@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/classes-recipe/kernel-arch.bbclass            |  6 ++----
 meta/conf/bitbake.conf                             | 14 +++++---------
 meta/lib/oe/package.py                             |  2 +-
 meta/recipes-devtools/gcc/libgfortran.inc          |  2 +-
 .../python/python3-maturin_1.8.3.bb                |  2 +-
 meta/recipes-devtools/rust/cargo_1.84.1.bb         |  2 +-
 6 files changed, 11 insertions(+), 17 deletions(-)

diff --git a/meta/classes-recipe/kernel-arch.bbclass b/meta/classes-recipe/kernel-arch.bbclass
index 36a6e0a60a..749a266ea3 100644
--- a/meta/classes-recipe/kernel-arch.bbclass
+++ b/meta/classes-recipe/kernel-arch.bbclass
@@ -73,10 +73,8 @@ HOST_OBJCOPY_KERNEL_ARCH ?= "${TARGET_OBJCOPY_KERNEL_ARCH}"
 
 KERNEL_CC = "${CCACHE}${HOST_PREFIX}gcc ${HOST_CC_KERNEL_ARCH} \
  -fuse-ld=bfd ${DEBUG_PREFIX_MAP} \
- -fdebug-prefix-map=${STAGING_KERNEL_DIR}=${KERNEL_SRC_PATH} \
- -fmacro-prefix-map=${STAGING_KERNEL_DIR}=${KERNEL_SRC_PATH} \
- -fdebug-prefix-map=${STAGING_KERNEL_BUILDDIR}=${KERNEL_SRC_PATH} \
- -fmacro-prefix-map=${STAGING_KERNEL_BUILDDIR}=${KERNEL_SRC_PATH} \
+ -ffile-prefix-map=${STAGING_KERNEL_DIR}=${KERNEL_SRC_PATH} \
+ -ffile-prefix-map=${STAGING_KERNEL_BUILDDIR}=${KERNEL_SRC_PATH} \
 "
 KERNEL_LD = "${HOST_PREFIX}ld.bfd ${HOST_LD_KERNEL_ARCH}"
 KERNEL_AR = "${HOST_PREFIX}ar ${HOST_AR_KERNEL_ARCH}"
diff --git a/meta/conf/bitbake.conf b/meta/conf/bitbake.conf
index 501808204e..b1dae17267 100644
--- a/meta/conf/bitbake.conf
+++ b/meta/conf/bitbake.conf
@@ -652,15 +652,11 @@ EXTRA_OEMAKE:prepend:task-install = "${PARALLEL_MAKEINST} "
 ##################################################################
 TARGET_DBGSRC_DIR ?= "/usr/src/debug/${PN}/${PV}"
 # Beware: applied last to first
-DEBUG_PREFIX_MAP ?= "-fcanon-prefix-map \
- -fmacro-prefix-map=${S}=${TARGET_DBGSRC_DIR} \
- -fdebug-prefix-map=${S}=${TARGET_DBGSRC_DIR} \
- -fmacro-prefix-map=${B}=${TARGET_DBGSRC_DIR} \
- -fdebug-prefix-map=${B}=${TARGET_DBGSRC_DIR} \
- -fdebug-prefix-map=${STAGING_DIR_HOST}= \
- -fmacro-prefix-map=${STAGING_DIR_HOST}= \
- -fdebug-prefix-map=${STAGING_DIR_NATIVE}= \
- -fmacro-prefix-map=${STAGING_DIR_NATIVE}= \
+DEBUG_PREFIX_MAP ?= "\
+ -ffile-prefix-map=${S}=${TARGET_DBGSRC_DIR} \
+ -ffile-prefix-map=${B}=${TARGET_DBGSRC_DIR} \
+ -ffile-prefix-map=${STAGING_DIR_HOST}= \
+ -ffile-prefix-map=${STAGING_DIR_NATIVE}= \
 "
 DEBUG_LEVELFLAG ?= "-g"
 
diff --git a/meta/lib/oe/package.py b/meta/lib/oe/package.py
index 0db14f2164..0bcc04ea54 100644
--- a/meta/lib/oe/package.py
+++ b/meta/lib/oe/package.py
@@ -991,7 +991,7 @@ def copydebugsources(debugsrcdir, sources, d):
 
         prefixmap = {}
         for flag in cflags.split():
-            if not flag.startswith("-fdebug-prefix-map"):
+            if not flag.startswith("-ffile-prefix-map"):
                 continue
             if "recipe-sysroot" in flag:
                 continue
diff --git a/meta/recipes-devtools/gcc/libgfortran.inc b/meta/recipes-devtools/gcc/libgfortran.inc
index 4560421ed1..fa6aecaaa3 100644
--- a/meta/recipes-devtools/gcc/libgfortran.inc
+++ b/meta/recipes-devtools/gcc/libgfortran.inc
@@ -8,7 +8,7 @@ EXTRA_OECONF_PATHS = "\
 # An arm hard float target like raspberrypi4 won't build
 # as CFLAGS don't make it to the fortran compiler otherwise
 # (the configure script sets FC to $GFORTRAN unconditionally)
-export GFORTRAN = "${FC} -fcanon-prefix-map -fdebug-prefix-map=${S}=${TARGET_DBGSRC_DIR} -fdebug-prefix-map=${B}=${TARGET_DBGSRC_DIR} -gno-record-gcc-switches"
+export GFORTRAN = "${FC} -ffile-prefix-map=${S}=${TARGET_DBGSRC_DIR} -ffile-prefix-map=${B}=${TARGET_DBGSRC_DIR} -gno-record-gcc-switches"
 
 do_configure () {
 	for target in libbacktrace libgfortran
diff --git a/meta/recipes-devtools/python/python3-maturin_1.8.3.bb b/meta/recipes-devtools/python/python3-maturin_1.8.3.bb
index 17c8fb7083..ad61aac856 100644
--- a/meta/recipes-devtools/python/python3-maturin_1.8.3.bb
+++ b/meta/recipes-devtools/python/python3-maturin_1.8.3.bb
@@ -9,7 +9,7 @@ SRC_URI[sha256sum] = "304762f86fd53a8031b1bf006d12572a2aa0a5235485031113195cc015
 
 S = "${WORKDIR}/maturin-${PV}"
 
-CFLAGS += "-fdebug-prefix-map=${CARGO_HOME}=${TARGET_DBGSRC_DIR}/cargo_home"
+CFLAGS += "-ffile-prefix-map=${CARGO_HOME}=${TARGET_DBGSRC_DIR}/cargo_home"
 
 DEPENDS += "\
     python3-setuptools-rust-native \
diff --git a/meta/recipes-devtools/rust/cargo_1.84.1.bb b/meta/recipes-devtools/rust/cargo_1.84.1.bb
index db18ecfda9..150c2d2b80 100644
--- a/meta/recipes-devtools/rust/cargo_1.84.1.bb
+++ b/meta/recipes-devtools/rust/cargo_1.84.1.bb
@@ -19,7 +19,7 @@ CARGO_VENDORING_DIRECTORY = "${RUSTSRC}/vendor"
 
 inherit cargo pkgconfig
 
-DEBUG_PREFIX_MAP += "-fdebug-prefix-map=${RUSTSRC}/vendor=${TARGET_DBGSRC_DIR}"
+DEBUG_PREFIX_MAP += "-ffile-prefix-map=${RUSTSRC}/vendor=${TARGET_DBGSRC_DIR}"
 
 do_cargo_setup_snapshot () {
 	${UNPACKDIR}/rust-snapshot-components/${CARGO_SNAPSHOT}/install.sh --prefix="${WORKDIR}/${CARGO_SNAPSHOT}" --disable-ldconfig
-- 
2.43.0

Re: [OE-core][walnascar 3/3] bitbake.conf: Switch prefix mapping to use -ffile-prefix-map

[Gyorgy Sarvari]

Is this more than cosmetic in walnascar? If it isn't, than should this
really go into a stable branch? In my understanding this will require a
brand new sstate cache.

On 8/12/25 15:29, Steve Sakoman via lists.openembedded.org wrote:
> From: Khem Raj <raj.khem@gmail.com>
>
> -ffile-prefix map is more comprehensive when it comes to reproducible
> builds and its superset of all prefix-mapping options in compilers
>
> (From OE-Core rev: ff73fa7ef7666a6dbe34f15515bc3ab6e574c5b0)
>
> Signed-off-by: Khem Raj <raj.khem@gmail.com>
> Signed-off-by: Deepesh Varatharajan <Deepesh.Varatharajan@windriver.com>
> Signed-off-by: Steve Sakoman <steve@sakoman.com>
> ---
>  meta/classes-recipe/kernel-arch.bbclass            |  6 ++----
>  meta/conf/bitbake.conf                             | 14 +++++---------
>  meta/lib/oe/package.py                             |  2 +-
>  meta/recipes-devtools/gcc/libgfortran.inc          |  2 +-
>  .../python/python3-maturin_1.8.3.bb                |  2 +-
>  meta/recipes-devtools/rust/cargo_1.84.1.bb         |  2 +-
>  6 files changed, 11 insertions(+), 17 deletions(-)
>
> diff --git a/meta/classes-recipe/kernel-arch.bbclass b/meta/classes-recipe/kernel-arch.bbclass
> index 36a6e0a60a..749a266ea3 100644
> --- a/meta/classes-recipe/kernel-arch.bbclass
> +++ b/meta/classes-recipe/kernel-arch.bbclass
> @@ -73,10 +73,8 @@ HOST_OBJCOPY_KERNEL_ARCH ?= "${TARGET_OBJCOPY_KERNEL_ARCH}"
>  
>  KERNEL_CC = "${CCACHE}${HOST_PREFIX}gcc ${HOST_CC_KERNEL_ARCH} \
>   -fuse-ld=bfd ${DEBUG_PREFIX_MAP} \
> - -fdebug-prefix-map=${STAGING_KERNEL_DIR}=${KERNEL_SRC_PATH} \
> - -fmacro-prefix-map=${STAGING_KERNEL_DIR}=${KERNEL_SRC_PATH} \
> - -fdebug-prefix-map=${STAGING_KERNEL_BUILDDIR}=${KERNEL_SRC_PATH} \
> - -fmacro-prefix-map=${STAGING_KERNEL_BUILDDIR}=${KERNEL_SRC_PATH} \
> + -ffile-prefix-map=${STAGING_KERNEL_DIR}=${KERNEL_SRC_PATH} \
> + -ffile-prefix-map=${STAGING_KERNEL_BUILDDIR}=${KERNEL_SRC_PATH} \
>  "
>  KERNEL_LD = "${HOST_PREFIX}ld.bfd ${HOST_LD_KERNEL_ARCH}"
>  KERNEL_AR = "${HOST_PREFIX}ar ${HOST_AR_KERNEL_ARCH}"
> diff --git a/meta/conf/bitbake.conf b/meta/conf/bitbake.conf
> index 501808204e..b1dae17267 100644
> --- a/meta/conf/bitbake.conf
> +++ b/meta/conf/bitbake.conf
> @@ -652,15 +652,11 @@ EXTRA_OEMAKE:prepend:task-install = "${PARALLEL_MAKEINST} "
>  ##################################################################
>  TARGET_DBGSRC_DIR ?= "/usr/src/debug/${PN}/${PV}"
>  # Beware: applied last to first
> -DEBUG_PREFIX_MAP ?= "-fcanon-prefix-map \
> - -fmacro-prefix-map=${S}=${TARGET_DBGSRC_DIR} \
> - -fdebug-prefix-map=${S}=${TARGET_DBGSRC_DIR} \
> - -fmacro-prefix-map=${B}=${TARGET_DBGSRC_DIR} \
> - -fdebug-prefix-map=${B}=${TARGET_DBGSRC_DIR} \
> - -fdebug-prefix-map=${STAGING_DIR_HOST}= \
> - -fmacro-prefix-map=${STAGING_DIR_HOST}= \
> - -fdebug-prefix-map=${STAGING_DIR_NATIVE}= \
> - -fmacro-prefix-map=${STAGING_DIR_NATIVE}= \
> +DEBUG_PREFIX_MAP ?= "\
> + -ffile-prefix-map=${S}=${TARGET_DBGSRC_DIR} \
> + -ffile-prefix-map=${B}=${TARGET_DBGSRC_DIR} \
> + -ffile-prefix-map=${STAGING_DIR_HOST}= \
> + -ffile-prefix-map=${STAGING_DIR_NATIVE}= \
>  "
>  DEBUG_LEVELFLAG ?= "-g"
>  
> diff --git a/meta/lib/oe/package.py b/meta/lib/oe/package.py
> index 0db14f2164..0bcc04ea54 100644
> --- a/meta/lib/oe/package.py
> +++ b/meta/lib/oe/package.py
> @@ -991,7 +991,7 @@ def copydebugsources(debugsrcdir, sources, d):
>  
>          prefixmap = {}
>          for flag in cflags.split():
> -            if not flag.startswith("-fdebug-prefix-map"):
> +            if not flag.startswith("-ffile-prefix-map"):
>                  continue
>              if "recipe-sysroot" in flag:
>                  continue
> diff --git a/meta/recipes-devtools/gcc/libgfortran.inc b/meta/recipes-devtools/gcc/libgfortran.inc
> index 4560421ed1..fa6aecaaa3 100644
> --- a/meta/recipes-devtools/gcc/libgfortran.inc
> +++ b/meta/recipes-devtools/gcc/libgfortran.inc
> @@ -8,7 +8,7 @@ EXTRA_OECONF_PATHS = "\
>  # An arm hard float target like raspberrypi4 won't build
>  # as CFLAGS don't make it to the fortran compiler otherwise
>  # (the configure script sets FC to $GFORTRAN unconditionally)
> -export GFORTRAN = "${FC} -fcanon-prefix-map -fdebug-prefix-map=${S}=${TARGET_DBGSRC_DIR} -fdebug-prefix-map=${B}=${TARGET_DBGSRC_DIR} -gno-record-gcc-switches"
> +export GFORTRAN = "${FC} -ffile-prefix-map=${S}=${TARGET_DBGSRC_DIR} -ffile-prefix-map=${B}=${TARGET_DBGSRC_DIR} -gno-record-gcc-switches"
>  
>  do_configure () {
>  	for target in libbacktrace libgfortran
> diff --git a/meta/recipes-devtools/python/python3-maturin_1.8.3.bb b/meta/recipes-devtools/python/python3-maturin_1.8.3.bb
> index 17c8fb7083..ad61aac856 100644
> --- a/meta/recipes-devtools/python/python3-maturin_1.8.3.bb
> +++ b/meta/recipes-devtools/python/python3-maturin_1.8.3.bb
> @@ -9,7 +9,7 @@ SRC_URI[sha256sum] = "304762f86fd53a8031b1bf006d12572a2aa0a5235485031113195cc015
>  
>  S = "${WORKDIR}/maturin-${PV}"
>  
> -CFLAGS += "-fdebug-prefix-map=${CARGO_HOME}=${TARGET_DBGSRC_DIR}/cargo_home"
> +CFLAGS += "-ffile-prefix-map=${CARGO_HOME}=${TARGET_DBGSRC_DIR}/cargo_home"
>  
>  DEPENDS += "\
>      python3-setuptools-rust-native \
> diff --git a/meta/recipes-devtools/rust/cargo_1.84.1.bb b/meta/recipes-devtools/rust/cargo_1.84.1.bb
> index db18ecfda9..150c2d2b80 100644
> --- a/meta/recipes-devtools/rust/cargo_1.84.1.bb
> +++ b/meta/recipes-devtools/rust/cargo_1.84.1.bb
> @@ -19,7 +19,7 @@ CARGO_VENDORING_DIRECTORY = "${RUSTSRC}/vendor"
>  
>  inherit cargo pkgconfig
>  
> -DEBUG_PREFIX_MAP += "-fdebug-prefix-map=${RUSTSRC}/vendor=${TARGET_DBGSRC_DIR}"
> +DEBUG_PREFIX_MAP += "-ffile-prefix-map=${RUSTSRC}/vendor=${TARGET_DBGSRC_DIR}"
>  
>  do_cargo_setup_snapshot () {
>  	${UNPACKDIR}/rust-snapshot-components/${CARGO_SNAPSHOT}/install.sh --prefix="${WORKDIR}/${CARGO_SNAPSHOT}" --disable-ldconfig
>

Re: [OE-core][walnascar 3/3] bitbake.conf: Switch prefix mapping to use -ffile-prefix-map

[Steve Sakoman]

On Wed, Aug 13, 2025 at 9:11 AM Gyorgy Sarvari <skandigraun@gmail.com> wrote:
>
> Is this more than cosmetic in walnascar? If it isn't, than should this
> really go into a stable branch? In my understanding this will require a
> brand new sstate cache.

Khem,

Can you comment on this?

Thanks!

Steve

>
> On 8/12/25 15:29, Steve Sakoman via lists.openembedded.org wrote:
> > From: Khem Raj <raj.khem@gmail.com>
> >
> > -ffile-prefix map is more comprehensive when it comes to reproducible
> > builds and its superset of all prefix-mapping options in compilers
> >
> > (From OE-Core rev: ff73fa7ef7666a6dbe34f15515bc3ab6e574c5b0)
> >
> > Signed-off-by: Khem Raj <raj.khem@gmail.com>
> > Signed-off-by: Deepesh Varatharajan <Deepesh.Varatharajan@windriver.com>
> > Signed-off-by: Steve Sakoman <steve@sakoman.com>
> > ---
> >  meta/classes-recipe/kernel-arch.bbclass            |  6 ++----
> >  meta/conf/bitbake.conf                             | 14 +++++---------
> >  meta/lib/oe/package.py                             |  2 +-
> >  meta/recipes-devtools/gcc/libgfortran.inc          |  2 +-
> >  .../python/python3-maturin_1.8.3.bb                |  2 +-
> >  meta/recipes-devtools/rust/cargo_1.84.1.bb         |  2 +-
> >  6 files changed, 11 insertions(+), 17 deletions(-)
> >
> > diff --git a/meta/classes-recipe/kernel-arch.bbclass b/meta/classes-recipe/kernel-arch.bbclass
> > index 36a6e0a60a..749a266ea3 100644
> > --- a/meta/classes-recipe/kernel-arch.bbclass
> > +++ b/meta/classes-recipe/kernel-arch.bbclass
> > @@ -73,10 +73,8 @@ HOST_OBJCOPY_KERNEL_ARCH ?= "${TARGET_OBJCOPY_KERNEL_ARCH}"
> >
> >  KERNEL_CC = "${CCACHE}${HOST_PREFIX}gcc ${HOST_CC_KERNEL_ARCH} \
> >   -fuse-ld=bfd ${DEBUG_PREFIX_MAP} \
> > - -fdebug-prefix-map=${STAGING_KERNEL_DIR}=${KERNEL_SRC_PATH} \
> > - -fmacro-prefix-map=${STAGING_KERNEL_DIR}=${KERNEL_SRC_PATH} \
> > - -fdebug-prefix-map=${STAGING_KERNEL_BUILDDIR}=${KERNEL_SRC_PATH} \
> > - -fmacro-prefix-map=${STAGING_KERNEL_BUILDDIR}=${KERNEL_SRC_PATH} \
> > + -ffile-prefix-map=${STAGING_KERNEL_DIR}=${KERNEL_SRC_PATH} \
> > + -ffile-prefix-map=${STAGING_KERNEL_BUILDDIR}=${KERNEL_SRC_PATH} \
> >  "
> >  KERNEL_LD = "${HOST_PREFIX}ld.bfd ${HOST_LD_KERNEL_ARCH}"
> >  KERNEL_AR = "${HOST_PREFIX}ar ${HOST_AR_KERNEL_ARCH}"
> > diff --git a/meta/conf/bitbake.conf b/meta/conf/bitbake.conf
> > index 501808204e..b1dae17267 100644
> > --- a/meta/conf/bitbake.conf
> > +++ b/meta/conf/bitbake.conf
> > @@ -652,15 +652,11 @@ EXTRA_OEMAKE:prepend:task-install = "${PARALLEL_MAKEINST} "
> >  ##################################################################
> >  TARGET_DBGSRC_DIR ?= "/usr/src/debug/${PN}/${PV}"
> >  # Beware: applied last to first
> > -DEBUG_PREFIX_MAP ?= "-fcanon-prefix-map \
> > - -fmacro-prefix-map=${S}=${TARGET_DBGSRC_DIR} \
> > - -fdebug-prefix-map=${S}=${TARGET_DBGSRC_DIR} \
> > - -fmacro-prefix-map=${B}=${TARGET_DBGSRC_DIR} \
> > - -fdebug-prefix-map=${B}=${TARGET_DBGSRC_DIR} \
> > - -fdebug-prefix-map=${STAGING_DIR_HOST}= \
> > - -fmacro-prefix-map=${STAGING_DIR_HOST}= \
> > - -fdebug-prefix-map=${STAGING_DIR_NATIVE}= \
> > - -fmacro-prefix-map=${STAGING_DIR_NATIVE}= \
> > +DEBUG_PREFIX_MAP ?= "\
> > + -ffile-prefix-map=${S}=${TARGET_DBGSRC_DIR} \
> > + -ffile-prefix-map=${B}=${TARGET_DBGSRC_DIR} \
> > + -ffile-prefix-map=${STAGING_DIR_HOST}= \
> > + -ffile-prefix-map=${STAGING_DIR_NATIVE}= \
> >  "
> >  DEBUG_LEVELFLAG ?= "-g"
> >
> > diff --git a/meta/lib/oe/package.py b/meta/lib/oe/package.py
> > index 0db14f2164..0bcc04ea54 100644
> > --- a/meta/lib/oe/package.py
> > +++ b/meta/lib/oe/package.py
> > @@ -991,7 +991,7 @@ def copydebugsources(debugsrcdir, sources, d):
> >
> >          prefixmap = {}
> >          for flag in cflags.split():
> > -            if not flag.startswith("-fdebug-prefix-map"):
> > +            if not flag.startswith("-ffile-prefix-map"):
> >                  continue
> >              if "recipe-sysroot" in flag:
> >                  continue
> > diff --git a/meta/recipes-devtools/gcc/libgfortran.inc b/meta/recipes-devtools/gcc/libgfortran.inc
> > index 4560421ed1..fa6aecaaa3 100644
> > --- a/meta/recipes-devtools/gcc/libgfortran.inc
> > +++ b/meta/recipes-devtools/gcc/libgfortran.inc
> > @@ -8,7 +8,7 @@ EXTRA_OECONF_PATHS = "\
> >  # An arm hard float target like raspberrypi4 won't build
> >  # as CFLAGS don't make it to the fortran compiler otherwise
> >  # (the configure script sets FC to $GFORTRAN unconditionally)
> > -export GFORTRAN = "${FC} -fcanon-prefix-map -fdebug-prefix-map=${S}=${TARGET_DBGSRC_DIR} -fdebug-prefix-map=${B}=${TARGET_DBGSRC_DIR} -gno-record-gcc-switches"
> > +export GFORTRAN = "${FC} -ffile-prefix-map=${S}=${TARGET_DBGSRC_DIR} -ffile-prefix-map=${B}=${TARGET_DBGSRC_DIR} -gno-record-gcc-switches"
> >
> >  do_configure () {
> >       for target in libbacktrace libgfortran
> > diff --git a/meta/recipes-devtools/python/python3-maturin_1.8.3.bb b/meta/recipes-devtools/python/python3-maturin_1.8.3.bb
> > index 17c8fb7083..ad61aac856 100644
> > --- a/meta/recipes-devtools/python/python3-maturin_1.8.3.bb
> > +++ b/meta/recipes-devtools/python/python3-maturin_1.8.3.bb
> > @@ -9,7 +9,7 @@ SRC_URI[sha256sum] = "304762f86fd53a8031b1bf006d12572a2aa0a5235485031113195cc015
> >
> >  S = "${WORKDIR}/maturin-${PV}"
> >
> > -CFLAGS += "-fdebug-prefix-map=${CARGO_HOME}=${TARGET_DBGSRC_DIR}/cargo_home"
> > +CFLAGS += "-ffile-prefix-map=${CARGO_HOME}=${TARGET_DBGSRC_DIR}/cargo_home"
> >
> >  DEPENDS += "\
> >      python3-setuptools-rust-native \
> > diff --git a/meta/recipes-devtools/rust/cargo_1.84.1.bb b/meta/recipes-devtools/rust/cargo_1.84.1.bb
> > index db18ecfda9..150c2d2b80 100644
> > --- a/meta/recipes-devtools/rust/cargo_1.84.1.bb
> > +++ b/meta/recipes-devtools/rust/cargo_1.84.1.bb
> > @@ -19,7 +19,7 @@ CARGO_VENDORING_DIRECTORY = "${RUSTSRC}/vendor"
> >
> >  inherit cargo pkgconfig
> >
> > -DEBUG_PREFIX_MAP += "-fdebug-prefix-map=${RUSTSRC}/vendor=${TARGET_DBGSRC_DIR}"
> > +DEBUG_PREFIX_MAP += "-ffile-prefix-map=${RUSTSRC}/vendor=${TARGET_DBGSRC_DIR}"
> >
> >  do_cargo_setup_snapshot () {
> >       ${UNPACKDIR}/rust-snapshot-components/${CARGO_SNAPSHOT}/install.sh --prefix="${WORKDIR}/${CARGO_SNAPSHOT}" --disable-ldconfig
> >
>

Re: [OE-core][walnascar 3/3] bitbake.conf: Switch prefix mapping to use -ffile-prefix-map

[Khem Raj]

On Wed, Aug 13, 2025 at 9:14 AM Steve Sakoman <steve@sakoman.com> wrote:
>
> On Wed, Aug 13, 2025 at 9:11 AM Gyorgy Sarvari <skandigraun@gmail.com> wrote:
> >
> > Is this more than cosmetic in walnascar? If it isn't, than should this
> > really go into a stable branch? In my understanding this will require a
> > brand new sstate cache.
>
> Khem,
>
> Can you comment on this?
>

Hi Steve,

I think there are patches in other layers which will be required to
backported as well. While its possible, I think
it could be some work to get it going, I would suggest to hold it back
and let folks use october release to use it
where it is soaked better.

> Thanks!
>
> Steve
>
> >
> > On 8/12/25 15:29, Steve Sakoman via lists.openembedded.org wrote:
> > > From: Khem Raj <raj.khem@gmail.com>
> > >
> > > -ffile-prefix map is more comprehensive when it comes to reproducible
> > > builds and its superset of all prefix-mapping options in compilers
> > >
> > > (From OE-Core rev: ff73fa7ef7666a6dbe34f15515bc3ab6e574c5b0)
> > >
> > > Signed-off-by: Khem Raj <raj.khem@gmail.com>
> > > Signed-off-by: Deepesh Varatharajan <Deepesh.Varatharajan@windriver.com>
> > > Signed-off-by: Steve Sakoman <steve@sakoman.com>
> > > ---
> > >  meta/classes-recipe/kernel-arch.bbclass            |  6 ++----
> > >  meta/conf/bitbake.conf                             | 14 +++++---------
> > >  meta/lib/oe/package.py                             |  2 +-
> > >  meta/recipes-devtools/gcc/libgfortran.inc          |  2 +-
> > >  .../python/python3-maturin_1.8.3.bb                |  2 +-
> > >  meta/recipes-devtools/rust/cargo_1.84.1.bb         |  2 +-
> > >  6 files changed, 11 insertions(+), 17 deletions(-)
> > >
> > > diff --git a/meta/classes-recipe/kernel-arch.bbclass b/meta/classes-recipe/kernel-arch.bbclass
> > > index 36a6e0a60a..749a266ea3 100644
> > > --- a/meta/classes-recipe/kernel-arch.bbclass
> > > +++ b/meta/classes-recipe/kernel-arch.bbclass
> > > @@ -73,10 +73,8 @@ HOST_OBJCOPY_KERNEL_ARCH ?= "${TARGET_OBJCOPY_KERNEL_ARCH}"
> > >
> > >  KERNEL_CC = "${CCACHE}${HOST_PREFIX}gcc ${HOST_CC_KERNEL_ARCH} \
> > >   -fuse-ld=bfd ${DEBUG_PREFIX_MAP} \
> > > - -fdebug-prefix-map=${STAGING_KERNEL_DIR}=${KERNEL_SRC_PATH} \
> > > - -fmacro-prefix-map=${STAGING_KERNEL_DIR}=${KERNEL_SRC_PATH} \
> > > - -fdebug-prefix-map=${STAGING_KERNEL_BUILDDIR}=${KERNEL_SRC_PATH} \
> > > - -fmacro-prefix-map=${STAGING_KERNEL_BUILDDIR}=${KERNEL_SRC_PATH} \
> > > + -ffile-prefix-map=${STAGING_KERNEL_DIR}=${KERNEL_SRC_PATH} \
> > > + -ffile-prefix-map=${STAGING_KERNEL_BUILDDIR}=${KERNEL_SRC_PATH} \
> > >  "
> > >  KERNEL_LD = "${HOST_PREFIX}ld.bfd ${HOST_LD_KERNEL_ARCH}"
> > >  KERNEL_AR = "${HOST_PREFIX}ar ${HOST_AR_KERNEL_ARCH}"
> > > diff --git a/meta/conf/bitbake.conf b/meta/conf/bitbake.conf
> > > index 501808204e..b1dae17267 100644
> > > --- a/meta/conf/bitbake.conf
> > > +++ b/meta/conf/bitbake.conf
> > > @@ -652,15 +652,11 @@ EXTRA_OEMAKE:prepend:task-install = "${PARALLEL_MAKEINST} "
> > >  ##################################################################
> > >  TARGET_DBGSRC_DIR ?= "/usr/src/debug/${PN}/${PV}"
> > >  # Beware: applied last to first
> > > -DEBUG_PREFIX_MAP ?= "-fcanon-prefix-map \
> > > - -fmacro-prefix-map=${S}=${TARGET_DBGSRC_DIR} \
> > > - -fdebug-prefix-map=${S}=${TARGET_DBGSRC_DIR} \
> > > - -fmacro-prefix-map=${B}=${TARGET_DBGSRC_DIR} \
> > > - -fdebug-prefix-map=${B}=${TARGET_DBGSRC_DIR} \
> > > - -fdebug-prefix-map=${STAGING_DIR_HOST}= \
> > > - -fmacro-prefix-map=${STAGING_DIR_HOST}= \
> > > - -fdebug-prefix-map=${STAGING_DIR_NATIVE}= \
> > > - -fmacro-prefix-map=${STAGING_DIR_NATIVE}= \
> > > +DEBUG_PREFIX_MAP ?= "\
> > > + -ffile-prefix-map=${S}=${TARGET_DBGSRC_DIR} \
> > > + -ffile-prefix-map=${B}=${TARGET_DBGSRC_DIR} \
> > > + -ffile-prefix-map=${STAGING_DIR_HOST}= \
> > > + -ffile-prefix-map=${STAGING_DIR_NATIVE}= \
> > >  "
> > >  DEBUG_LEVELFLAG ?= "-g"
> > >
> > > diff --git a/meta/lib/oe/package.py b/meta/lib/oe/package.py
> > > index 0db14f2164..0bcc04ea54 100644
> > > --- a/meta/lib/oe/package.py
> > > +++ b/meta/lib/oe/package.py
> > > @@ -991,7 +991,7 @@ def copydebugsources(debugsrcdir, sources, d):
> > >
> > >          prefixmap = {}
> > >          for flag in cflags.split():
> > > -            if not flag.startswith("-fdebug-prefix-map"):
> > > +            if not flag.startswith("-ffile-prefix-map"):
> > >                  continue
> > >              if "recipe-sysroot" in flag:
> > >                  continue
> > > diff --git a/meta/recipes-devtools/gcc/libgfortran.inc b/meta/recipes-devtools/gcc/libgfortran.inc
> > > index 4560421ed1..fa6aecaaa3 100644
> > > --- a/meta/recipes-devtools/gcc/libgfortran.inc
> > > +++ b/meta/recipes-devtools/gcc/libgfortran.inc
> > > @@ -8,7 +8,7 @@ EXTRA_OECONF_PATHS = "\
> > >  # An arm hard float target like raspberrypi4 won't build
> > >  # as CFLAGS don't make it to the fortran compiler otherwise
> > >  # (the configure script sets FC to $GFORTRAN unconditionally)
> > > -export GFORTRAN = "${FC} -fcanon-prefix-map -fdebug-prefix-map=${S}=${TARGET_DBGSRC_DIR} -fdebug-prefix-map=${B}=${TARGET_DBGSRC_DIR} -gno-record-gcc-switches"
> > > +export GFORTRAN = "${FC} -ffile-prefix-map=${S}=${TARGET_DBGSRC_DIR} -ffile-prefix-map=${B}=${TARGET_DBGSRC_DIR} -gno-record-gcc-switches"
> > >
> > >  do_configure () {
> > >       for target in libbacktrace libgfortran
> > > diff --git a/meta/recipes-devtools/python/python3-maturin_1.8.3.bb b/meta/recipes-devtools/python/python3-maturin_1.8.3.bb
> > > index 17c8fb7083..ad61aac856 100644
> > > --- a/meta/recipes-devtools/python/python3-maturin_1.8.3.bb
> > > +++ b/meta/recipes-devtools/python/python3-maturin_1.8.3.bb
> > > @@ -9,7 +9,7 @@ SRC_URI[sha256sum] = "304762f86fd53a8031b1bf006d12572a2aa0a5235485031113195cc015
> > >
> > >  S = "${WORKDIR}/maturin-${PV}"
> > >
> > > -CFLAGS += "-fdebug-prefix-map=${CARGO_HOME}=${TARGET_DBGSRC_DIR}/cargo_home"
> > > +CFLAGS += "-ffile-prefix-map=${CARGO_HOME}=${TARGET_DBGSRC_DIR}/cargo_home"
> > >
> > >  DEPENDS += "\
> > >      python3-setuptools-rust-native \
> > > diff --git a/meta/recipes-devtools/rust/cargo_1.84.1.bb b/meta/recipes-devtools/rust/cargo_1.84.1.bb
> > > index db18ecfda9..150c2d2b80 100644
> > > --- a/meta/recipes-devtools/rust/cargo_1.84.1.bb
> > > +++ b/meta/recipes-devtools/rust/cargo_1.84.1.bb
> > > @@ -19,7 +19,7 @@ CARGO_VENDORING_DIRECTORY = "${RUSTSRC}/vendor"
> > >
> > >  inherit cargo pkgconfig
> > >
> > > -DEBUG_PREFIX_MAP += "-fdebug-prefix-map=${RUSTSRC}/vendor=${TARGET_DBGSRC_DIR}"
> > > +DEBUG_PREFIX_MAP += "-ffile-prefix-map=${RUSTSRC}/vendor=${TARGET_DBGSRC_DIR}"
> > >
> > >  do_cargo_setup_snapshot () {
> > >       ${UNPACKDIR}/rust-snapshot-components/${CARGO_SNAPSHOT}/install.sh --prefix="${WORKDIR}/${CARGO_SNAPSHOT}" --disable-ldconfig
> > >
> >

Re: [OE-core][walnascar 3/3] bitbake.conf: Switch prefix mapping to use -ffile-prefix-map

[Steve Sakoman]

On Wed, Aug 13, 2025 at 9:14 AM Steve Sakoman via
lists.openembedded.org <steve=sakoman.com@lists.openembedded.org>
wrote:
>
> On Wed, Aug 13, 2025 at 9:11 AM Gyorgy Sarvari <skandigraun@gmail.com> wrote:
> >
> > Is this more than cosmetic in walnascar? If it isn't, than should this
> > really go into a stable branch? In my understanding this will require a
> > brand new sstate cache.
>
> Khem,
>
> Can you comment on this?

I need to wrap up the changeset for the walnascar release, so I'm
going to remove these two patches until we reach some consensus on the
need for them.

Steve

Re: [OE-core][walnascar 3/3] bitbake.conf: Switch prefix mapping to use -ffile-prefix-map

[Khem Raj]

On Fri, Aug 15, 2025 at 9:03 AM Steve Sakoman <steve@sakoman.com> wrote:
>
> On Wed, Aug 13, 2025 at 9:14 AM Steve Sakoman via
> lists.openembedded.org <steve=sakoman.com@lists.openembedded.org>
> wrote:
> >
> > On Wed, Aug 13, 2025 at 9:11 AM Gyorgy Sarvari <skandigraun@gmail.com> wrote:
> > >
> > > Is this more than cosmetic in walnascar? If it isn't, than should this
> > > really go into a stable branch? In my understanding this will require a
> > > brand new sstate cache.
> >
> > Khem,
> >
> > Can you comment on this?
>
> I need to wrap up the changeset for the walnascar release, so I'm
> going to remove these two patches until we reach some consensus on the
> need for them.

Please drop.

>
> Steve

Re: [walnascar 3/3] bitbake.conf: Switch prefix mapping to use -ffile-prefix-map

[Varatharajan, Deepesh]

[-- Attachment #1: Type: text/plain, Size: 1150 bytes --]

Hi Khem,

We backported this patch due to a specific use case on our end. We set the TMPDIR
path length to 399 characters (just under the 400-character limit) and attempted
to build lib32-gcc. While this works fine on the master branch, we encountered the
following error on the walnascar branch:

make: /bin/bash: Argument list too long
make: *** [Makefile:4701: all-gcc] Error 127
ERROR: oe_runmake failed

Upon comparing the logs between the master and walnascar branches, we noticed that
in walnascar, the following flags were passed multiple times:

-fmacro-prefix-map
-fdebug-prefix-map
-fcanon-prefix-map

Since our TMPDIR path is quite long, passing it repeatedly via these flags seems
to be the root cause of the issue.

In the master branch, these were replaced with the more concise "-ffile-prefix-map"
flag, significantly reducing the number of times the long TMPDIR path is passed to
the compiler. This change resolved the error, which is why we backported the patch
to walnascar.

So, can we backport this for walnascar branch in future or do you suggest us to wait for
october release.

Regards,
Deepesh

[-- Attachment #2: Type: text/html, Size: 1385 bytes --]

Re: [OE-core] [walnascar 3/3] bitbake.conf: Switch prefix mapping to use -ffile-prefix-map

[Khem Raj]

On Wed, Sep 3, 2025 at 4:49 AM Varatharajan, Deepesh via
lists.openembedded.org
<deepesh.varatharajan=windriver.com@lists.openembedded.org> wrote:
>
> Hi Khem,
>
> We backported this patch due to a specific use case on our end. We set the TMPDIR
> path length to 399 characters (just under the 400-character limit) and attempted
> to build lib32-gcc. While this works fine on the master branch, we encountered the
> following error on the walnascar branch:
>
> make: /bin/bash: Argument list too long
> make: *** [Makefile:4701: all-gcc] Error 127
> ERROR: oe_runmake failed
>
> Upon comparing the logs between the master and walnascar branches, we noticed that
> in walnascar, the following flags were passed multiple times:
>
> -fmacro-prefix-map
> -fdebug-prefix-map
> -fcanon-prefix-map
>
> Since our TMPDIR path is quite long, passing it repeatedly via these flags seems
> to be the root cause of the issue.
>
> In the master branch, these were replaced with the more concise "-ffile-prefix-map"
> flag, significantly reducing the number of times the long TMPDIR path is passed to
> the compiler. This change resolved the error, which is why we backported the patch
> to walnascar.
>
> So, can we backport this for walnascar branch in future or do you suggest us to wait for
> october release.
>

these fixes also needed fixed in other layers so they will need to
backport needed patches
as well. I can speak for meta-oe layers but I am sure there are more,
so I would think it
is not an easy cherry-pick,

The issue of duplicate options is at the root of it, perhaps finding
that out and trying to solve
is a good fix even for master. Backporting this is just a workaround
to overcome the real issue.

> Regards,
> Deepesh
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#222856): https://lists.openembedded.org/g/openembedded-core/message/222856
> Mute This Topic: https://lists.openembedded.org/mt/114665450/1997914
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [raj.khem@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>

[OE-core][walnascar 0/3] Patch review

[Steve Sakoman]

Please review this set of changes for walnascar and have comments back by
end of day Friday, September 26

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/valkyrie/#/builders/29/builds/2435

The following changes since commit d728ec95291f05cbfb436eabe8717ebe9a0dc11d:

  python3-setuptools: restore build_scripts.executable support (2025-09-22 12:42:57 -0700)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/walnascar-nut
  https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/walnascar-nut

Ross Burton (1):
  expat: upgrade to 2.7.2

Yogita Urade (2):
  curl: fix CVE-2025-9086
  curl: fix CVE-2025-10148

 .../expat/{expat_2.7.1.bb => expat_2.7.2.bb}  |  2 +-
 .../curl/curl/CVE-2025-10148.patch            | 57 +++++++++++++++++++
 .../curl/curl/CVE-2025-9086.patch             | 55 ++++++++++++++++++
 meta/recipes-support/curl/curl_8.12.1.bb      |  2 +
 4 files changed, 115 insertions(+), 1 deletion(-)
 rename meta/recipes-core/expat/{expat_2.7.1.bb => expat_2.7.2.bb} (92%)
 create mode 100644 meta/recipes-support/curl/curl/CVE-2025-10148.patch
 create mode 100644 meta/recipes-support/curl/curl/CVE-2025-9086.patch

-- 
2.43.0