* [PATCH 1/2] libjpeg-turbo: exclude x.y.9z versions from upstream check
@ 2026-04-22 15:18 Alexander Kanavin
2026-04-22 15:18 ` [PATCH 2/2] sbom-cve-check: exclude recipes from version checks and version updates Alexander Kanavin
0 siblings, 1 reply; 4+ messages in thread
From: Alexander Kanavin @ 2026-04-22 15:18 UTC (permalink / raw)
To: openembedded-core; +Cc: Alexander Kanavin
From: Alexander Kanavin <alex@linutronix.de>
E.g. the current 3.1.90 is a pre-release and shouldn't be considered.
Signed-off-by: Alexander Kanavin <alex@linutronix.de>
---
meta/recipes-graphics/jpeg/libjpeg-turbo_3.1.3.bb | 1 +
1 file changed, 1 insertion(+)
diff --git a/meta/recipes-graphics/jpeg/libjpeg-turbo_3.1.3.bb b/meta/recipes-graphics/jpeg/libjpeg-turbo_3.1.3.bb
index 26e84ca42c..f3e1ff59a6 100644
--- a/meta/recipes-graphics/jpeg/libjpeg-turbo_3.1.3.bb
+++ b/meta/recipes-graphics/jpeg/libjpeg-turbo_3.1.3.bb
@@ -10,6 +10,7 @@ DEPENDS:append:x86:class-target = " nasm-native"
SRC_URI = "${GITHUB_BASE_URI}/download/${PV}/${BP}.tar.gz"
SRC_URI[sha256sum] = "075920b826834ac4ddf97661cc73491047855859affd671d52079c6867c1c6c0"
+UPSTREAM_CHECK_REGEX = "releases/tag/(?P<pver>\d+\.\d+\.(?!9\d+)\d+(\.\d+)*)"
PE = "1"
--
2.47.3
^ permalink raw reply related [flat|nested] 4+ messages in thread* [PATCH 2/2] sbom-cve-check: exclude recipes from version checks and version updates
2026-04-22 15:18 [PATCH 1/2] libjpeg-turbo: exclude x.y.9z versions from upstream check Alexander Kanavin
@ 2026-04-22 15:18 ` Alexander Kanavin
2026-04-23 14:22 ` [OE-core] " Ross Burton
0 siblings, 1 reply; 4+ messages in thread
From: Alexander Kanavin @ 2026-04-22 15:18 UTC (permalink / raw)
To: openembedded-core; +Cc: Alexander Kanavin
From: Alexander Kanavin <alex@linutronix.de>
These recipes rely on AUTOREV enabled with a fragment, and upstream otherwise
updates them far too often to make regular version updates feasible.
Signed-off-by: Alexander Kanavin <alex@linutronix.de>
---
.../recipes-devtools/sbom-cve-check/sbom-cve-check-update-db.inc | 1 +
1 file changed, 1 insertion(+)
diff --git a/meta/recipes-devtools/sbom-cve-check/sbom-cve-check-update-db.inc b/meta/recipes-devtools/sbom-cve-check/sbom-cve-check-update-db.inc
index fbdc561e8c..8f8639ab6c 100644
--- a/meta/recipes-devtools/sbom-cve-check/sbom-cve-check-update-db.inc
+++ b/meta/recipes-devtools/sbom-cve-check/sbom-cve-check-update-db.inc
@@ -2,6 +2,7 @@
INHIBIT_DEFAULT_DEPS = "1"
EXCLUDE_FROM_WORLD = "1"
+RECIPE_NO_UPDATE_REASON = "Recipe is enabled via fragment that also sets AUTOREV, and so it doesn't require manual updates"
inherit native
require conf/sbom-cve-check-config.inc
--
2.47.3
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [OE-core] [PATCH 2/2] sbom-cve-check: exclude recipes from version checks and version updates
2026-04-22 15:18 ` [PATCH 2/2] sbom-cve-check: exclude recipes from version checks and version updates Alexander Kanavin
@ 2026-04-23 14:22 ` Ross Burton
2026-04-24 14:29 ` Alexander Kanavin
0 siblings, 1 reply; 4+ messages in thread
From: Ross Burton @ 2026-04-23 14:22 UTC (permalink / raw)
To: alex.kanavin@gmail.com; +Cc: openembedded-core@lists.openembedded.org
On 22 Apr 2026, at 16:18, Alexander Kanavin via lists.openembedded.org <alex.kanavin=gmail.com@lists.openembedded.org> wrote:
>
> From: Alexander Kanavin <alex@linutronix.de>
>
> These recipes rely on AUTOREV enabled with a fragment, and upstream otherwise
> updates them far too often to make regular version updates feasible.
I actually think we want to keep this. We encourage people to use AUTOREV on these recipes, but we should update the underlying SRCREV occasionally at least, and AUH is one easy way of doing that.
Ross
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [OE-core] [PATCH 2/2] sbom-cve-check: exclude recipes from version checks and version updates
2026-04-23 14:22 ` [OE-core] " Ross Burton
@ 2026-04-24 14:29 ` Alexander Kanavin
0 siblings, 0 replies; 4+ messages in thread
From: Alexander Kanavin @ 2026-04-24 14:29 UTC (permalink / raw)
To: Ross Burton; +Cc: openembedded-core@lists.openembedded.org
On Thu, 23 Apr 2026 at 16:23, Ross Burton <Ross.Burton@arm.com> wrote:
> > These recipes rely on AUTOREV enabled with a fragment, and upstream otherwise
> > updates them far too often to make regular version updates feasible.
>
> I actually think we want to keep this. We encourage people to use AUTOREV on these recipes, but we should update the underlying SRCREV occasionally at least, and AUH is one easy way of doing that.
I guess we can set PV to upstream tags, although both upstreams update
tags once a day, or even more frequently:
https://github.com/fkie-cad/nvd-json-data-feeds/tags
https://github.com/CVEProject/cvelistV5/tags
I'm not super keen to have recipes that are always out of date, and
are updated at random intervals, but yes it's doable.
Alex
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2026-04-24 14:29 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-04-22 15:18 [PATCH 1/2] libjpeg-turbo: exclude x.y.9z versions from upstream check Alexander Kanavin
2026-04-22 15:18 ` [PATCH 2/2] sbom-cve-check: exclude recipes from version checks and version updates Alexander Kanavin
2026-04-23 14:22 ` [OE-core] " Ross Burton
2026-04-24 14:29 ` Alexander Kanavin
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox