[PATCH 0/1] Whitelist sftp

[PATCH 0/1] Whitelist sftp

[Peter Kjellerstedt]

I have been trying out the whitelisting of tools in $PATH, and it
seems to work very well. However, one thing that I realized is that
the tools used by the various fetchers need to be whitelisted. This
patch adds sftp to HOSTTOOLS_NONFATAL as that is the only fetcher we
use appart from git and wget, but I expect other tools such as cvs,
svn, hg, etc need to be added as well.

Feel free to squash this commit with the "base/bitbake.conf: Filter
contents of PATH to only allow whitelisted tools" commit.

//Peter

The following changes since commit 1cf50b756c589d8bf8f1f32f2062b69fb769242d:

  base/bitbake.conf: Filter contents of PATH to only allow whitelisted tools (2017-03-10 18:07:27 +0000)

are available in the git repository at:

  git://git.yoctoproject.org/poky-contrib pkj/whitelist_sftp
  http://git.yoctoproject.org/cgit.cgi/poky-contrib/log/?h=pkj/whitelist_sftp

Peter Kjellerstedt (1):
  bitbake.conf: Add 'sftp' to HOSTTOOLS_NONFATAL

 meta/conf/bitbake.conf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

-- 
2.12.0

[PATCH 1/1] bitbake.conf: Add 'sftp' to HOSTTOOLS_NONFATAL

[Peter Kjellerstedt]

This is necessary to be able to use the sftp fetcher.

Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com>
---
 meta/conf/bitbake.conf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta/conf/bitbake.conf b/meta/conf/bitbake.conf
index 5699099b41..4cf1f5d6ff 100644
--- a/meta/conf/bitbake.conf
+++ b/meta/conf/bitbake.conf
@@ -469,7 +469,7 @@ HOSTTOOLS += " \
 HOSTTOOLS += "ps stty ip ssh scp ping vi"
 
 # Link to these if present
-HOSTTOOLS_NONFATAL += "ccache pip3 ld.bfd ld.gold gcc-ar gpg"
+HOSTTOOLS_NONFATAL += "ccache pip3 ld.bfd ld.gold gcc-ar gpg sftp"
 
 CCACHE ??= ""
 # Disable ccache explicitly if CCACHE is null since gcc may be a symlink
-- 
2.12.0

Re: [PATCH 0/1] Whitelist sftp

[Richard Purdie]

On Sat, 2017-03-11 at 06:14 +0100, Peter Kjellerstedt wrote:
> I have been trying out the whitelisting of tools in $PATH, and it
> seems to work very well. However, one thing that I realized is that
> the tools used by the various fetchers need to be whitelisted. This
> patch adds sftp to HOSTTOOLS_NONFATAL as that is the only fetcher we
> use appart from git and wget, but I expect other tools such as cvs,
> svn, hg, etc need to be added as well.

For some, like subversion we actually build subversion-native so they
shouldn't be listed by default.

> Feel free to squash this commit with the "base/bitbake.conf: Filter
> contents of PATH to only allow whitelisted tools" commit.

I squashed this in along with some other minor tweaks thanks.

Richard