Re: [OE-core] [PATCH] classes/yocto-check-layer: allow to explicitly skip check_network_flag in recipe

[Hongxu Jia <hongxu.jia@windriver.com>]

[-- Attachment #1: Type: text/plain, Size: 3428 bytes --]

On 2/28/26 18:50, Richard Purdie wrote:
> **
> *CAUTION: This email comes from a non Wind River email account!*
> Do not click links or open attachments unless you recognize the sender 
> and know the content is safe.
> On Sat, 2026-02-28 at 11:27 +0800, hongxu via lists.openembedded.org 
> <https://urldefense.com/v3/__http://lists.openembedded.org__;!!AjveYdw8EvQ!dv8OxyPCat01rw2zoB7PGs6RXntA8xaWqSRCY2_LQQIUia0jkGnmYKY3FxwT17lz3ILBlzW_b3fF2-zvT4HgUW0LVF-LshmGK-lhyg$> 
> wrote:
>> On 2/27/26 17:39, Jose Quaresma wrote:
>> hongxu via lists.openembedded.org 
>> <https://urldefense.com/v3/__http://lists.openembedded.org__;!!AjveYdw8EvQ!aBhDhydW4sVwHmPku-G3KfAkizU2zIqypxgoEenL-xjXJs5eoMzW0QXn8MVS7w9-QZvBeU26B0ju3x5wCHfoAWuj9pQ$> 
>> <hongxu.jia=windriver.com@lists.openembedded.org> escreveu (sexta, 
>> 27/02/2026 à(s) 07:21):
>>>>
>>>> +# Format: "BPN1:task1 BPN2:task2", separate by space
>>>> +# build-appliance-image uses pip at image time
>>>> +SKIP_CHECK_NETWORK_FLAG = "build-appliance-image:do_image"
>>>> +
>>>>  # Check that no tasks (with rare exceptions) between do_fetch and 
>>>> do_build
>>>>  # use the network.
>>>>  def check_network_flag(d):
>>>>      # BPN:task names that are allowed to reach the network, using 
>>>> fnmatch to compare.
>>>>      allowed = []
>>>> -    # build-appliance-image uses pip at image time
>>>> -    allowed += ["build-appliance-image:do_image"]
>>>> +    allowed += (d.getVar('SKIP_CHECK_NETWORK_FLAG') or '').split()
>>>>
>>>
>>> This could introduce severe reproducibility problems for someone who 
>>> claims to have a Yocto compatible layer.
>>>
>> The meta-tensorflow, who use bazel build system to build, it requires 
>> network access at do_compile if download mirror is not available.
>>
>> The bazel is similar bitbake, has fetch, configure, compile, but it 
>> combined as one command and invoked at bitbake's do_compile
>>
>> In order to support offline build, I've apply a local patch to bazel 
>> to save download tarball as download mirror [1]
>>
>> [1]https://git.yoctoproject.org/meta-tensorflow/commit/?id=88ca1af3768e5a01e6ba8b2f09d6cf2a0bfb621e
>>
>> If dowload mirror is available, the build will reuse it and network 
>> is not required, the reproducibility problems should be detected by 
>> binary comparison from two builds, we have oe-selftest case in 
>> oe-core by the way
>>
> If the fetching happens outside of do_fetch, it means meta-tensorflow 
> cannot be marked as Yocto Project Compatible.
>
> The point of the standard and this test is to move people towards 
> reproducbile builds with full manifests of the contents. If you bypass 
> the fetcher, we don't have any of these guarantees.
>
> Our plan was to work out a way to remove the fetching from 
> build-appliance too but we didn't want to hold off the implementation 
> of that on the rest of the standard. The fact we've not done that yet 
> is frustrating to me but it doesn't change what the intent of this 
> plan is. We don't want to add a way to bypass it unless there is 
> really good reason. Good reasons might be 'publishing tasks' where 
> we're writing data out to a remote, or we're running tests. I'd likely 
> suggests these be in specific well defined tasks similar to fetch with 
> known properties though.
>
Copy, understood

//Hongxu

> Cheers,
>
> Richard
>
>
>
>
>

[-- Attachment #2: Type: text/html, Size: 7661 bytes --]