[PATCH v2 00/18] Updates for upcoming Wrynose release (2)

[PATCH v2 00/18] Updates for upcoming Wrynose release (2)

[Antonin Godard]

Another set of patches to prepare the docs for the upcoming Wrynose
release.

Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
---
Changes in v2:
- Add back paragraph on Unpatched CVE warnings after 5a5162406ffe
  ("sbom-cve-check-common: print warnings on unpatched CVEs") was merged
- Fix commit title CFE -> CVE
- Cover recent changes to match release candidate
- Document the SBOM_CVE_CHECK_SHOW_WARNINGS variable
- Link to v1: https://patch.msgid.link/20260422-third-release-notes-6-0-v1-0-06635e8648d1@bootlin.com

---
Antonin Godard (18):
      conf.py: add a :yocto_bug: role
      migration-guides/release-notes-6.0.rst: add known KVM issue
      migration-guides/migration-6.0.rst: document the CVE_PRODUCT behavior change
      tools/build-docs-container: add missing leap 16.0 in help message
      tools/build-docs-container: add CentOS 10 support
      ref-manual/system-requirements.rst: add CentOS 10 as a supported distro
      docs-wide: drop documentation for cve-check and variables
      ref-manual/variables.rst: document the SBOM_CVE_CHECK_SHOW_WARNINGS variable
      security-manual/vulnerabilities.rst: require Upstream-Status, not recommend
      security-manual/vulnerabilities.rst: refresh the document after cve-check removal
      migration-guides/migration-6.0.rst: add migration notes on cve-check removal
      migration-guides/release-notes-6.0.rst: cover recent changes
      migration-guides/release-notes-6.0.rst: add license changes
      migration-guides/release-notes-6.0.rst: update CVE fixes
      migration-guides/release-notes-6.0.rst: add recipe version changes
      migration-guides/migration-6.0.rst: mention python3-roman-numerals-py rename
      migration-guides/release-notes-6.0.rst: add contributors
      ref-manual/variables: IMAGE_TYPES: add new wicenv type

 documentation/conf.py                              |    4 +-
 documentation/migration-guides/migration-3.0.rst   |    4 +-
 documentation/migration-guides/migration-5.0.rst   |    2 +-
 documentation/migration-guides/migration-6.0.rst   |   96 ++
 .../migration-guides/release-notes-4.0.23.rst      |    2 +-
 .../migration-guides/release-notes-4.1.1.rst       |    4 +-
 .../migration-guides/release-notes-4.1.rst         |    4 +-
 .../migration-guides/release-notes-5.0.5.rst       |    2 +-
 .../migration-guides/release-notes-5.0.rst         |    4 +-
 .../migration-guides/release-notes-5.1.3.rst       |    2 +-
 .../migration-guides/release-notes-5.1.rst         |    8 +-
 .../migration-guides/release-notes-5.2.rst         |   24 +-
 .../migration-guides/release-notes-5.3.rst         |    2 +-
 .../migration-guides/release-notes-6.0.rst         | 1471 +++++++++++++++++++-
 documentation/ref-manual/classes.rst               |   78 +-
 documentation/ref-manual/system-requirements.rst   |    1 +
 documentation/ref-manual/variables.rst             |   91 +-
 documentation/security-manual/vulnerabilities.rst  |  223 ++-
 documentation/tools/build-docs-container           |    5 +-
 19 files changed, 1711 insertions(+), 316 deletions(-)
---
base-commit: b50e8d36bdab53b004711ebc284d8ce8be593859
change-id: 20260420-third-release-notes-6-0-754b6f79bbe9

[PATCH v2 01/18] conf.py: add a :yocto_bug: role

[Antonin Godard]

Similar to :yocto_bugs: but directly create a hyperlink to the bug
displayed with its identifier. Use as :yocto_bug:`12345`.

Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
---
 documentation/conf.py | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/documentation/conf.py b/documentation/conf.py
index 58c6406f1..7b201ebd6 100644
--- a/documentation/conf.py
+++ b/documentation/conf.py
@@ -97,6 +97,7 @@ oecore_git = f"{oe_git_server}/openembedded-core"
 bitbake_git = f"{oe_git_server}/bitbake"
 yocto_git_server = "https://git.yoctoproject.org"
 meta_yocto_git = f"{yocto_git_server}/meta-yocto"
+bugzilla_server = "https://bugzilla.yoctoproject.org"
 
 # external links and substitutions
 extlinks = {
@@ -109,7 +110,8 @@ extlinks = {
     'yocto_wiki': ('https://wiki.yoctoproject.org/wiki%s', None),
     'yocto_dl': ('https://downloads.yoctoproject.org%s', None),
     'yocto_lists': ('https://lists.yoctoproject.org%s', None),
-    'yocto_bugs': ('https://bugzilla.yoctoproject.org%s', None),
+    'yocto_bugs': (f'{bugzilla_server}%s', None),
+    'yocto_bug': (f'{bugzilla_server}/show_bug.cgi?id=%s', '%s'),
     'yocto_ab': ('https://autobuilder.yoctoproject.org%s', None),
     'yocto_docs': ('https://docs.yoctoproject.org%s', None),
     'yocto_git': (f'{yocto_git_server}%s', None),

-- 
2.53.0

[PATCH v2 02/18] migration-guides/release-notes-6.0.rst: add known KVM issue

[Antonin Godard]

And link to the bug in question on Bugzilla.

Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
---
 documentation/migration-guides/release-notes-6.0.rst | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/documentation/migration-guides/release-notes-6.0.rst b/documentation/migration-guides/release-notes-6.0.rst
index a4fd7a169..2ae182c8c 100644
--- a/documentation/migration-guides/release-notes-6.0.rst
+++ b/documentation/migration-guides/release-notes-6.0.rst
@@ -739,6 +739,10 @@ New Features / Enhancements in |yocto-ver|
 Known Issues in |yocto-ver|
 ---------------------------
 
+-  A known bug is affecting :term:`build hosts <Build Host>` that have Intel
+   Ultra 7 CPUs and breaks :term:`OpenEmbedded-Core (OE-Core)` tests that
+   involve KVM. See bug :yocto_bug:`16074` for more information.
+
 Recipe License changes in |yocto-ver|
 -------------------------------------
 

-- 
2.53.0

[PATCH v2 03/18] migration-guides/migration-6.0.rst: document the CVE_PRODUCT behavior change

[Antonin Godard]

After 9dd9c0038907 ("cve_check: Escape special characters in CPE 2.3
strings") and 3c73dafd03b1 ("cve_check: Improve escaping of special
characters in CPE 2.3") in OE-Core.

Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
---
 documentation/migration-guides/migration-6.0.rst | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/documentation/migration-guides/migration-6.0.rst b/documentation/migration-guides/migration-6.0.rst
index 42c688a89..d763062da 100644
--- a/documentation/migration-guides/migration-6.0.rst
+++ b/documentation/migration-guides/migration-6.0.rst
@@ -291,6 +291,20 @@ information.
 Users are advised to transition to SDPX 3.0, which is provided by the
 :ref:`ref-classes-create-spdx` class.
 
+:term:`CVE_PRODUCT` character escaping change
+---------------------------------------------
+
+The :term:`CVE_PRODUCT` variable, which specifies a name used to match the
+recipe name against the name in the upstream `NIST CVE database
+<https://nvd.nist.gov/>`__, used to require special characters to be escaped.
+
+This is no longer, the case. For example, the :term:`CVE_PRODUCT` variable for
+the ``webkitgtk`` recipe must no longer be written as ``webkitgtk\+`` but
+``webkitgtk+``.
+
+Users are advised to review their :term:`CVE_PRODUCT` assignments and remove any
+special character escaping.
+
 .. _ref-migration-6-0-wic-sector-size-change:
 
 :term:`WIC_SECTOR_SIZE` should be replaced by ``--sector-size``

-- 
2.53.0

[PATCH v2 04/18] tools/build-docs-container: add missing leap 16.0 in help message

[Antonin Godard]

Fixes: e5880b36dfc6 ("ref-manual/system-requirements.rst: add section for openSUSE Leap 16.0")
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
---
 documentation/tools/build-docs-container | 1 +
 1 file changed, 1 insertion(+)

diff --git a/documentation/tools/build-docs-container b/documentation/tools/build-docs-container
index a540e81ec..ab8314901 100755
--- a/documentation/tools/build-docs-container
+++ b/documentation/tools/build-docs-container
@@ -41,6 +41,7 @@ $0 OCI_IMAGE [make arguments...]
      - fedora:42
      - fedora:43
      - leap:15.6
+     - leap:16.0
      - rockylinux:8
      - rockylinux:9
      - ubuntu:22.04

-- 
2.53.0

[PATCH v2 05/18] tools/build-docs-container: add CentOS 10 support

[Antonin Godard]

No issue building the documentation, and including the packages from the
essential list (INCLUDE_ESSENTIAL_PACKAGES=1).

Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
---
 documentation/tools/build-docs-container | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/documentation/tools/build-docs-container b/documentation/tools/build-docs-container
index ab8314901..37d3d2bb6 100755
--- a/documentation/tools/build-docs-container
+++ b/documentation/tools/build-docs-container
@@ -36,6 +36,7 @@ $0 OCI_IMAGE [make arguments...]
      - almalinux:8
      - almalinux:9
      - centos:stream9
+     - centos:stream10
      - debian:12
      - debian:13
      - fedora:42
@@ -98,7 +99,8 @@ main ()
       docs_pdf=tlmgr_docs_pdf.sh
       pip3=pip3_docs.sh
       ;;
-    "centos:stream9"*)
+    "centos:stream9"*|\
+    "centos:stream10"*)
       containerfile=Containerfile.stream
       essential=centosstream_essential.sh
       docs=centosstream_docs.sh

-- 
2.53.0

[PATCH v2 06/18] ref-manual/system-requirements.rst: add CentOS 10 as a supported distro

[Antonin Godard]

The current list of packages for CentOS 9 applies for CentOS 10.

Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
---
 documentation/ref-manual/system-requirements.rst | 1 +
 1 file changed, 1 insertion(+)

diff --git a/documentation/ref-manual/system-requirements.rst b/documentation/ref-manual/system-requirements.rst
index 05c852043..5171ca6ba 100644
--- a/documentation/ref-manual/system-requirements.rst
+++ b/documentation/ref-manual/system-requirements.rst
@@ -65,6 +65,7 @@ supported on the following distributions:
 -  AlmaLinux 8
 -  AlmaLinux 9
 -  CentOS Stream 9
+-  CentOS Stream 10
 -  Debian 11
 -  Debian 12
 -  Debian 13

-- 
2.53.0

[PATCH v2 07/18] docs-wide: drop documentation for cve-check and variables

[Antonin Godard]

Drop the cve-check class documentation and all variable strictly tied to
the class. The vex class is still there and uses the same namespace to
name its variables, so keep the variables that are still used in the vex
class. The current vulnerabilities document is out-of-date, but
references to cve-check are still removed there for bisectability, and
is rewritten in the next commits.

Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
---
 documentation/migration-guides/migration-3.0.rst   |  4 +-
 documentation/migration-guides/migration-5.0.rst   |  2 +-
 .../migration-guides/release-notes-4.0.23.rst      |  2 +-
 .../migration-guides/release-notes-4.1.1.rst       |  4 +-
 .../migration-guides/release-notes-4.1.rst         |  4 +-
 .../migration-guides/release-notes-5.0.5.rst       |  2 +-
 .../migration-guides/release-notes-5.0.rst         |  4 +-
 .../migration-guides/release-notes-5.1.3.rst       |  2 +-
 .../migration-guides/release-notes-5.1.rst         |  8 +--
 .../migration-guides/release-notes-5.2.rst         | 24 +++----
 .../migration-guides/release-notes-5.3.rst         |  2 +-
 .../migration-guides/release-notes-6.0.rst         |  2 +-
 documentation/ref-manual/classes.rst               | 78 +---------------------
 documentation/ref-manual/variables.rst             | 77 +++------------------
 documentation/security-manual/vulnerabilities.rst  | 12 ++--
 15 files changed, 47 insertions(+), 180 deletions(-)

diff --git a/documentation/migration-guides/migration-3.0.rst b/documentation/migration-guides/migration-3.0.rst
index 67fcac41f..f5201dcac 100644
--- a/documentation/migration-guides/migration-3.0.rst
+++ b/documentation/migration-guides/migration-3.0.rst
@@ -49,7 +49,7 @@ The following recipes have been removed.
 -  ``core-image-lsb-sdk``: Part of removed LSB support.
 
 -  ``cve-check-tool``: Functionally replaced by the ``cve-update-db``
-   recipe and :ref:`ref-classes-cve-check` class.
+   recipe and ``cve-check`` class.
 
 -  ``eglinfo``: No longer maintained. ``eglinfo`` from ``mesa-demos`` is
    an adequate and maintained alternative.
@@ -144,7 +144,7 @@ CVE Checking
 ------------
 
 ``cve-check-tool`` has been functionally replaced by a new
-``cve-update-db`` recipe and functionality built into the :ref:`ref-classes-cve-check`
+``cve-update-db`` recipe and functionality built into the ``cve-check``
 class. The result uses NVD JSON data feeds rather than the deprecated
 XML feeds that ``cve-check-tool`` was using, supports CVSSv3 scoring,
 and makes other improvements.
diff --git a/documentation/migration-guides/migration-5.0.rst b/documentation/migration-guides/migration-5.0.rst
index cf413300c..a0d0cc2df 100644
--- a/documentation/migration-guides/migration-5.0.rst
+++ b/documentation/migration-guides/migration-5.0.rst
@@ -186,7 +186,7 @@ Miscellaneous changes
 -  ``recipetool`` now prefixes the names of recipes created for Python modules
    with ``python3-``.
 
--  The :ref:`ref-classes-cve-check` class no longer produces a warning for
+-  The ``cve-check`` class no longer produces a warning for
    remote patches --- it only logs a note and does not try to fetch the patch
    in order to scan it for issues or CVE numbers. However, CVE number
    references in remote patch file names will now be picked up.
diff --git a/documentation/migration-guides/release-notes-4.0.23.rst b/documentation/migration-guides/release-notes-4.0.23.rst
index abf7c6975..271a6340f 100644
--- a/documentation/migration-guides/release-notes-4.0.23.rst
+++ b/documentation/migration-guides/release-notes-4.0.23.rst
@@ -80,7 +80,7 @@ Fixes in Yocto-4.0.23
 -  ref-manual: add missing :term:`OPKGBUILDCMD` variable
 -  ref-manual: devtool-reference: document missing commands
 -  ref-manual: devtool-reference: refresh example outputs
--  ref-manual: introduce :term:`CVE_CHECK_REPORT_PATCHED` variable
+-  ref-manual: introduce ``CVE_CHECK_REPORT_PATCHED`` variable
 -  ref-manual: release-process: add a reference to the doc's release
 -  ref-manual: release-process: refresh the current LTS releases
 -  ref-manual: release-process: update releases.svg
diff --git a/documentation/migration-guides/release-notes-4.1.1.rst b/documentation/migration-guides/release-notes-4.1.1.rst
index 8393bc532..23ea4727c 100644
--- a/documentation/migration-guides/release-notes-4.1.1.rst
+++ b/documentation/migration-guides/release-notes-4.1.1.rst
@@ -131,8 +131,8 @@ Fixes in Yocto-4.1.1
 -  ref-manual/faq.rst: update references to products built with OE / Yocto Project
 -  ref-manual/variables.rst: clarify sentence
 -  ref-manual: add a note to ssh-server-dropbear feature
--  ref-manual: add :term:`CVE_CHECK_SHOW_WARNINGS`
--  ref-manual: add :term:`CVE_DB_UPDATE_INTERVAL`
+-  ref-manual: add ``CVE_CHECK_SHOW_WARNINGS``
+-  ref-manual: add ``CVE_DB_UPDATE_INTERVAL``
 -  ref-manual: add :term:`DEV_PKG_DEPENDENCY`
 -  ref-manual: add :term:`DISABLE_STATIC`
 -  ref-manual: add :term:`FIT_PAD_ALG`
diff --git a/documentation/migration-guides/release-notes-4.1.rst b/documentation/migration-guides/release-notes-4.1.rst
index 3ad3611b8..81d541fac 100644
--- a/documentation/migration-guides/release-notes-4.1.rst
+++ b/documentation/migration-guides/release-notes-4.1.rst
@@ -47,11 +47,11 @@ New Features / Enhancements in 4.1
 
 - CVE checking enhancements:
 
-  - New :term:`CVE_DB_UPDATE_INTERVAL` variable to allow specifying the CVE database minimum update interval (and default to once per day)
+  - New ``CVE_DB_UPDATE_INTERVAL`` variable to allow specifying the CVE database minimum update interval (and default to once per day)
   - Added JSON format to summary output
   - Added support for Ignored CVEs
   - Enable recursive CVE checking also for ``do_populate_sdk``
-  - New :term:`CVE_CHECK_SHOW_WARNINGS` variable to disable unpatched CVE warning messages
+  - New ``CVE_CHECK_SHOW_WARNINGS`` variable to disable unpatched CVE warning messages
   - The :ref:`ref-classes-pypi` class now defaults :term:`CVE_PRODUCT` from :term:`PYPI_PACKAGE`
   - Added current kernel CVEs to ignore list since we stay as close to the kernel stable releases as we can
   - Optimisations to avoid dependencies on fetching
diff --git a/documentation/migration-guides/release-notes-5.0.5.rst b/documentation/migration-guides/release-notes-5.0.5.rst
index c8cf9a85d..7aadaeae4 100644
--- a/documentation/migration-guides/release-notes-5.0.5.rst
+++ b/documentation/migration-guides/release-notes-5.0.5.rst
@@ -83,7 +83,7 @@ Fixes in Yocto-5.0.5
 -  ref-manual: devtool-reference: document missing commands
 -  ref-manual: devtool-reference: refresh example outputs
 -  ref-manual: faq: add q&a on class appends
--  ref-manual: introduce :term:`CVE_CHECK_REPORT_PATCHED` variable
+-  ref-manual: introduce ``CVE_CHECK_REPORT_PATCHED`` variable
 -  ref-manual: merge patch-status-* to patch-status
 -  ref-manual: release-process: add a reference to the doc's release
 -  ref-manual: release-process: refresh the current LTS releases
diff --git a/documentation/migration-guides/release-notes-5.0.rst b/documentation/migration-guides/release-notes-5.0.rst
index de11bd174..31b1d3da7 100644
--- a/documentation/migration-guides/release-notes-5.0.rst
+++ b/documentation/migration-guides/release-notes-5.0.rst
@@ -10,7 +10,7 @@ New Features / Enhancements in 5.0
 
 -  New variables:
 
-   -  :term:`CVE_DB_INCR_UPDATE_AGE_THRES`: Configure the maximum age of the
+   -  ``CVE_DB_INCR_UPDATE_AGE_THRES``: Configure the maximum age of the
       internal CVE database for incremental update (instead of a full
       redownload).
 
@@ -277,7 +277,7 @@ New Features / Enhancements in 5.0
 
    -  Improve incremental CVE database download from NVD. Rejected CVEs are
       removed, configuration is kept up-to-date. The age threshold for
-      incremental update can be configured with :term:`CVE_DB_INCR_UPDATE_AGE_THRES`
+      incremental update can be configured with ``CVE_DB_INCR_UPDATE_AGE_THRES``
       variable.
 
 -  Toaster Web UI improvements:
diff --git a/documentation/migration-guides/release-notes-5.1.3.rst b/documentation/migration-guides/release-notes-5.1.3.rst
index 641cb8d50..13cf48bae 100644
--- a/documentation/migration-guides/release-notes-5.1.3.rst
+++ b/documentation/migration-guides/release-notes-5.1.3.rst
@@ -40,7 +40,7 @@ Fixes in Yocto-5.1.3
 -  cmake: apply parallel build settings to ptest tasks
 -  contributor-guide/submit-changes: add policy on AI generated code
 -  cve-check: fix cvesInRecord
--  cve-check: restore :term:`CVE_CHECK_SHOW_WARNINGS` functionality
+-  cve-check: restore ``CVE_CHECK_SHOW_WARNINGS`` functionality
 -  dev-manual/building: document the initramfs-framework recipe
 -  devtool: ide-sdk recommend :term:`DEBUG_BUILD`
 -  devtool: ide-sdk remove the plugin from eSDK installer
diff --git a/documentation/migration-guides/release-notes-5.1.rst b/documentation/migration-guides/release-notes-5.1.rst
index bab0c1458..2f049690a 100644
--- a/documentation/migration-guides/release-notes-5.1.rst
+++ b/documentation/migration-guides/release-notes-5.1.rst
@@ -11,7 +11,7 @@ New Features / Enhancements in 5.1
 
 -  New variables:
 
-   -  :term:`CVE_CHECK_MANIFEST_JSON_SUFFIX`: suffix for the CVE JSON manifest file.
+   -  ``CVE_CHECK_MANIFEST_JSON_SUFFIX``: suffix for the CVE JSON manifest file.
 
    -  :term:`PRSERV_UPSTREAM`: Upstream PR service (``host:port``) for the local
       PR server to connect to.
@@ -235,12 +235,12 @@ New Features / Enhancements in 5.1
 
    -  Fetch release tarballs instead of git checkouts to reduce disk usage.
 
--  :ref:`ref-classes-cve-check` changes:
+-  ``cve-check`` changes:
 
-   -  The class :ref:`ref-classes-cve-check` now uses a local copy of the NVD
+   -  The class ``cve-check`` now uses a local copy of the NVD
       database during builds.
 
-   -  New statuses can be reported by :ref:`ref-classes-cve-check`:
+   -  New statuses can be reported by ``cve-check``:
 
       -  ``fix-file-included``: when a fix file has been included (set automatically)
       -  ``version-not-in-range``: version number NOT in the vulnerable range (set automatically)
diff --git a/documentation/migration-guides/release-notes-5.2.rst b/documentation/migration-guides/release-notes-5.2.rst
index 5fc426c05..b5483c903 100644
--- a/documentation/migration-guides/release-notes-5.2.rst
+++ b/documentation/migration-guides/release-notes-5.2.rst
@@ -35,8 +35,8 @@ New Features / Enhancements in |yocto-ver|
       install tags (``--tags``) to the ``meson install`` command during the
       :ref:`ref-tasks-install` task.
 
-   -  :ref:`ref-classes-cve-check`: :term:`NVD_DB_VERSION` to allow choosing the
-      CVE feed when using the :ref:`ref-classes-cve-check` class.
+   -  ``cve-check``: ``NVD_DB_VERSION`` to allow choosing the
+      CVE feed when using the ``cve-check`` class.
 
    -  The :term:`BB_USE_HOME_NPMRC` controls whether or not BitBake uses the
       user's ``.npmrc`` file within their home directory within the npm fetcher.
@@ -479,7 +479,7 @@ New Features / Enhancements in |yocto-ver|
    -  ``openssh``: be more restrictive on private key file permissions by
       setting them from the :ref:`ref-tasks-install` task.
 
--  :ref:`ref-classes-cve-check` changes:
+-  ``cve-check`` changes:
 
    -  Update the :term:`DL_DIR` database location name
       (``${DL_DIR}/CVE_CHECK2``).
@@ -490,15 +490,15 @@ New Features / Enhancements in |yocto-ver|
 
    -  Fix malformed cve status description with ``:`` characters.
 
-   -  Restore the :term:`CVE_CHECK_SHOW_WARNINGS` variable and functionality. It
+   -  Restore the ``CVE_CHECK_SHOW_WARNINGS`` variable and functionality. It
       currently prints warning message for every unpatched CVE the
-      :ref:`ref-classes-cve-check` class finds.
+      ``cve-check`` class finds.
 
-   -  Users can control the NVD database source using the :term:`NVD_DB_VERSION`
+   -  Users can control the NVD database source using the ``NVD_DB_VERSION``
       variable with possible values ``NVD1``, ``NVD2``, or ``FKIE``.
 
    -  The default feed for CVEs is now ``FKIE`` instead of ``NVD2`` (see
-      :term:`NVD_DB_VERSION` for more information).
+      ``NVD_DB_VERSION`` for more information).
 
 -  New :term:`PACKAGECONFIG` options for individual recipes:
 
@@ -621,8 +621,8 @@ New Features / Enhancements in |yocto-ver|
 
    -  ``cve-update-nvd2-native``: updating the database will now result in an
       error if :term:`BB_NO_NETWORK` is enabled and
-      :term:`CVE_DB_UPDATE_INTERVAL` is not set to ``-1``. Users can control the
-      NVD database source using the :term:`NVD_DB_VERSION` variable with
+      ``CVE_DB_UPDATE_INTERVAL`` is not set to ``-1``. Users can control the
+      NVD database source using the ``NVD_DB_VERSION`` variable with
       possible values ``NVD1``, ``NVD2``, or ``FKIE``.
 
    -  ``systemtap``: add ``--with-extra-version="oe"`` configure option to
@@ -714,10 +714,10 @@ New Features / Enhancements in |yocto-ver|
 Known Issues in |yocto-ver|
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
--  The :ref:`ref-classes-cve-check` class is based on the `National
+-  The ``cve-check`` class is based on the `National
    Vulnerability Database <https://nvd.nist.gov/>`__ (NVD). Since the beginning
    of 2024, the maintainers of this database have stopped annotating CVEs with
-   the affected CPEs. This prevents the :ref:`ref-classes-cve-check` class to
+   the affected CPEs. This prevents the ``cve-check`` class to
    properly report CVEs as CPEs are used to match Yocto recipes with CVEs
    affecting them. As a result, the current CVE reports may look good but the
    reality is that some vulnerabilities are just not reported.
@@ -726,7 +726,7 @@ Known Issues in |yocto-ver|
    <https://www.cve.org/>'__ for entries concerning software they use, or follow
    release notes of such projects closely.
 
-   Please note, that the :ref:`ref-classes-cve-check` tool has always been a
+   Please note, that the ``cve-check`` tool has always been a
    helper tool, and users are advised to always review the final result. Results
    of an automatic scan may not take into account configuration options,
    compiler options and other factors.
diff --git a/documentation/migration-guides/release-notes-5.3.rst b/documentation/migration-guides/release-notes-5.3.rst
index 0ba0fbe98..1655ca90f 100644
--- a/documentation/migration-guides/release-notes-5.3.rst
+++ b/documentation/migration-guides/release-notes-5.3.rst
@@ -778,7 +778,7 @@ New Features / Enhancements in |yocto-ver|
       branch is no longer updated <migration-guides/migration-5.3:The Poky
       repository master branch is no longer updated>`.
 
--  :ref:`ref-classes-cve-check` class changes:
+-  ``cve-check`` class changes:
 
    -  ``cve-update-db-native``: FKIE: use Secondary metric if there is no
       Primary metric.
diff --git a/documentation/migration-guides/release-notes-6.0.rst b/documentation/migration-guides/release-notes-6.0.rst
index 2ae182c8c..31d4cdfce 100644
--- a/documentation/migration-guides/release-notes-6.0.rst
+++ b/documentation/migration-guides/release-notes-6.0.rst
@@ -572,7 +572,7 @@ New Features / Enhancements in |yocto-ver|
       :doc:`/security-reference/index`. It is intended to document how to report
       vulnerabilities to the Yocto Project security team.
 
--  :ref:`ref-classes-cve-check`-related changes:
+-  :ref:`ref-classes-sbom-cve-check`-related changes:
 
    -  ``cve-update-nvd2-native``: Use maximum CVSS score when extracting it from
       multiple sources (:oecore_rev:`4f6192f3165de0bc2499e045607c7e7ffd878a4b`)
diff --git a/documentation/ref-manual/classes.rst b/documentation/ref-manual/classes.rst
index d66c9c68b..2905af5ed 100644
--- a/documentation/ref-manual/classes.rst
+++ b/documentation/ref-manual/classes.rst
@@ -596,78 +596,6 @@ cross-compilation tools used for building SDKs. See the
 section in the Yocto Project Overview and Concepts Manual for more
 discussion on these cross-compilation tools.
 
-.. _ref-classes-cve-check:
-
-``cve-check``
-=============
-
-The :ref:`ref-classes-cve-check` class looks for known CVEs (Common Vulnerabilities
-and Exposures) while building with BitBake. This class is meant to be
-inherited globally from a configuration file::
-
-   INHERIT += "cve-check"
-
-To filter out obsolete CVE database entries which are known not to impact
-software from :term:`OpenEmbedded-Core (OE-Core)`, add the following line to the
-build configuration file::
-
-   include cve-extra-exclusions.inc
-
-You can also look for vulnerabilities in specific packages by passing
-``-c cve_check`` to BitBake.
-
-After building the software with Bitbake, CVE check output reports are available in ``tmp/deploy/cve``
-and image specific summaries in ``tmp/deploy/images/*.json`` files.
-
-When building, the CVE checker will emit build time warnings for any detected
-issues which are in the state ``Unpatched``, meaning that CVE issue seems to affect the software component
-and version being compiled and no patches to address the issue are applied. Other states
-for detected CVE issues are: ``Patched`` meaning that a patch to address the issue is already
-applied, and ``Ignored`` meaning that the issue can be ignored.
-
-The ``Patched`` state of a CVE issue is detected from patch files with the format
-``CVE-ID.patch``, e.g. ``CVE-2019-20633.patch``, in the :term:`SRC_URI` and using
-CVE metadata of format ``CVE: CVE-ID`` in the commit message of the patch file.
-
-.. note::
-
-   Commit message metadata (``CVE: CVE-ID`` in a patch header) will not be scanned
-   in any patches that are remote, i.e. that are anything other than local files
-   referenced via ``file://`` in SRC_URI. However, a ``CVE-ID`` in a remote patch
-   file name itself will be registered.
-
-If the recipe adds ``CVE-ID`` as flag of the :term:`CVE_STATUS` variable with status
-mapped to ``Ignored``, then the CVE state is reported as ``Ignored``::
-
-   CVE_STATUS[CVE-2020-15523] = "not-applicable-platform: Issue only applies on Windows"
-
-If CVE check reports that a recipe contains false positives or false negatives, these may be
-fixed in recipes by adjusting the CVE product name using :term:`CVE_PRODUCT` and :term:`CVE_VERSION` variables.
-:term:`CVE_PRODUCT` defaults to the plain recipe name :term:`BPN` which can be adjusted to one or more CVE
-database vendor and product pairs using the syntax::
-
-   CVE_PRODUCT = "flex_project:flex"
-
-where ``flex_project`` is the CVE database vendor name and ``flex`` is the product name. Similarly
-if the default recipe version :term:`PV` does not match the version numbers of the software component
-in upstream releases or the CVE database, then the :term:`CVE_VERSION` variable can be used to set the
-CVE database compatible version number, for example::
-
-   CVE_VERSION = "2.39"
-
-Any bugs or missing or incomplete information in the CVE database entries should be fixed in the CVE database
-via the `NVD feedback form <https://nvd.nist.gov/info/contact-form>`__.
-
-Users should note that security is a process, not a product, and thus also CVE checking, analyzing results,
-patching and updating the software should be done as a regular process. The data and assumptions
-required for CVE checker to reliably detect issues are frequently broken in various ways.
-These can only be detected by reviewing the details of the issues and iterating over the generated reports,
-and following what happens in other Linux distributions and in the greater open source community.
-
-You will find some more details in the
-":ref:`security-manual/vulnerabilities:checking for vulnerabilities`"
-section in the Development Tasks Manual.
-
 .. _ref-classes-cython:
 
 ``cython``
@@ -3818,8 +3746,7 @@ using the Vala programming language.
 ========
 
 The :ref:`ref-classes-vex` class is used to generate metadata needed by external
-tools to check for vulnerabilities, for example CVEs. It can be used as a
-replacement for :ref:`ref-classes-cve-check`.
+tools to check for vulnerabilities, for example CVEs.
 
 In order to use this class, inherit the class in the ``local.conf`` file and it
 will add the ``generate_vex`` task for every recipe::
@@ -3830,9 +3757,6 @@ If an image is built it will generate a report in :term:`DEPLOY_DIR_IMAGE` for
 all the packages used, it will also generate a file for all recipes used in the
 build.
 
-Variables use the ``CVE_CHECK`` prefix to keep compatibility with the
-:ref:`ref-classes-cve-check` class.
-
 Example usage::
 
    bitbake -c generate_vex openssl
diff --git a/documentation/ref-manual/variables.rst b/documentation/ref-manual/variables.rst
index e713204e3..0fcf81299 100644
--- a/documentation/ref-manual/variables.rst
+++ b/documentation/ref-manual/variables.rst
@@ -1977,42 +1977,22 @@ system and gives an overview of their function and contents.
          variable only in certain contexts (e.g. when building for kernel
          and kernel module recipes).
 
-   :term:`CVE_CHECK_CREATE_MANIFEST`
-      Specifies whether to create a CVE manifest to place in the deploy
-      directory. The default is "1".
-
    :term:`CVE_CHECK_IGNORE`
       This variable is deprecated and should be replaced by :term:`CVE_STATUS`.
 
    :term:`CVE_CHECK_MANIFEST_JSON`
-      Specifies the path to the CVE manifest in JSON format. See
-      :term:`CVE_CHECK_CREATE_MANIFEST`.
-
-   :term:`CVE_CHECK_MANIFEST_JSON_SUFFIX`
-      Allows to modify the JSON manifest suffix. See
-      :term:`CVE_CHECK_MANIFEST_JSON`.
-
-   :term:`CVE_CHECK_REPORT_PATCHED`
-      Specifies whether or not the :ref:`ref-classes-cve-check`
-      class should report patched or ignored CVEs. The default is "1", but you
-      may wish to set it to "0" if you do not need patched or ignored CVEs in
-      the logs.
-
-   :term:`CVE_CHECK_SHOW_WARNINGS`
-      Specifies whether or not the :ref:`ref-classes-cve-check`
-      class should generate warning messages on the console when unpatched
-      CVEs are found. The default is "1", but you may wish to set it to "0" if
-      you are already examining/processing the logs after the build has
-      completed and thus do not need the warning messages.
+      When inheriting the :ref:`ref-classes-vex` class, this variable specifies
+      the path to the CVE manifest in JSON format.
 
    :term:`CVE_CHECK_SKIP_RECIPE`
-      The list of package names (:term:`PN`) for which
-      CVEs (Common Vulnerabilities and Exposures) are ignored.
+      When inheriting the :ref:`ref-classes-vex` class, the variable specifies
+      the list of package names (:term:`PN`) for which CVEs (Common
+      Vulnerabilities and Exposures) are ignored.
 
    :term:`CVE_CHECK_STATUSMAP`
       Mapping variable for all possible reasons of :term:`CVE_STATUS`:
       ``Patched``, ``Unpatched`` and ``Ignored``.
-      See :ref:`ref-classes-cve-check` or ``meta/conf/cve-check-map.conf`` for more details::
+      See :oecore_path:`meta/conf/cve-check-map.conf` for more details::
 
          CVE_CHECK_STATUSMAP[cpe-incorrect] = "Ignored"
 
@@ -2023,18 +2003,6 @@ system and gives an overview of their function and contents.
 
          CVE_CHECK_VEX_JUSTIFICATION[not-applicable-config] = "vulnerableCodeNotPresent"
 
-   :term:`CVE_DB_INCR_UPDATE_AGE_THRES`
-      Specifies the maximum age of the CVE database in seconds for an
-      incremental update (instead of a full-download). Use "0" to force a
-      full-download.
-
-   :term:`CVE_DB_UPDATE_INTERVAL`
-      Specifies the CVE database update interval in seconds, as used by
-      ``cve-update-db-native``. The default value is "86400" i.e. once a day
-      (24*60*60). If the value is set to "0" then the update will be forced
-      every time. Alternatively, a negative value e.g. "-1" will disable
-      updates entirely.
-
    :term:`CVE_PRODUCT`
       In a recipe, defines the name used to match the recipe name
       against the name in the upstream `NIST CVE database <https://nvd.nist.gov/>`__.
@@ -2085,12 +2053,14 @@ system and gives an overview of their function and contents.
    :term:`CVE_VERSION`
       In a recipe, defines the version used to match the recipe version
       against the version in the `NIST CVE database <https://nvd.nist.gov/>`__
-      when usign :ref:`ref-classes-cve-check`.
+      when using the :ref:`ref-classes-vex` or :ref:`ref-classes-create-spdx`
+      class.
 
       The default is ${:term:`PV`} but if recipes use custom version numbers
       which do not map to upstream software component release versions and the versions
       used in the CVE database, then this variable can be used to set the
-      version number for :ref:`ref-classes-cve-check`. Example::
+      version number for :ref:`ref-classes-vex` or
+      :ref:`ref-classes-create-spdx`. Example::
 
           CVE_VERSION = "2.39"
 
@@ -6548,33 +6518,6 @@ system and gives an overview of their function and contents.
 
          NON_MULTILIB_RECIPES = "grub grub-efi make-mod-scripts ovmf u-boot"
 
-   :term:`NVD_DB_VERSION`
-      The :term:`NVD_DB_VERSION` variable allows choosing the CVE feed when
-      using the :ref:`ref-classes-cve-check` class. It can be one of:
-
-      -  ``FKIE`` (default): the `FKIE-CAD <https://github.com/fkie-cad/nvd-json-data-feeds>`__
-         feed reconstruction
-      -  ``NVD2``: the NVD feed with API version 2
-      -  ``NVD1``: the NVD JSON feed (deprecated)
-
-      In case of a malformed feed name, the ``NVD2`` feed is selected and an
-      error is printed.
-
-   :term:`NVDCVE_API_KEY`
-      The NVD API key used to retrieve data from the CVE database when
-      using :ref:`ref-classes-cve-check`.
-
-      By default, no API key is used, which results in larger delays between API
-      requests and limits the number of queries to the public rate limits posted
-      at the `NVD developer's page <https://nvd.nist.gov/developers/start-here>`__.
-
-      NVD API keys can be requested through the
-      `Request an API Key <https://nvd.nist.gov/developers/request-an-api-key>`__
-      page. You can set this variable to the NVD API key in your ``local.conf`` file.
-      Example::
-
-          NVDCVE_API_KEY = "fe753&7a2-1427-347d-23ff-b2e2b7ca5f3"
-
    :term:`OBJCOPY`
       The minimal command and arguments to run :manpage:`objcopy <objcopy(1)>`.
 
diff --git a/documentation/security-manual/vulnerabilities.rst b/documentation/security-manual/vulnerabilities.rst
index e6135a525..983e1548c 100644
--- a/documentation/security-manual/vulnerabilities.rst
+++ b/documentation/security-manual/vulnerabilities.rst
@@ -28,7 +28,7 @@ Vulnerability check at build time
 =================================
 
 To enable a check for CVE security vulnerabilities using
-:ref:`ref-classes-cve-check` in the specific image or target you are building,
+``cve-check`` in the specific image or target you are building,
 add the following setting to your configuration::
 
    INHERIT += "cve-check"
@@ -58,7 +58,7 @@ analysis, it has been deemed to ignore the issue as it for example affects
 the software component on a different operating system platform.
 
 By default, no NVD API key is used to retrieve data from the CVE database, which
-results in larger delays between NVD API requests. See the :term:`NVDCVE_API_KEY`
+results in larger delays between NVD API requests. See the ``NVDCVE_API_KEY``
 documentation on how to request and set a NVD API key.
 
 After a build with CVE check enabled, reports for each compiled source recipe will be
@@ -145,7 +145,7 @@ It is also possible to check the CVE status of individual packages as follows::
 Fixing CVE product name and version mappings
 ============================================
 
-By default, :ref:`ref-classes-cve-check` uses the recipe name :term:`BPN` as CVE
+By default, ``cve-check`` uses the recipe name :term:`BPN` as CVE
 product name when querying the CVE database. If this mapping contains false positives, e.g.
 some reported CVEs are not for the software component in question, or false negatives like
 some CVEs are not found to impact the recipe when they should, then the problems can be
@@ -288,7 +288,7 @@ the :term:`CVE_CHECK_SKIP_RECIPE` variable.
 Implementation details
 ======================
 
-Here's what the :ref:`ref-classes-cve-check` class does to find unpatched CVE IDs.
+Here's what the ``cve-check`` class does to find unpatched CVE IDs.
 
 First the code goes through each patch file provided by a recipe. If a valid CVE ID
 is found in the name of the file, the corresponding CVE is considered as patched.
@@ -389,7 +389,7 @@ Don't forget to update your kernel recipe with::
    include cve-exclusion_6.12.inc
 
 Then the CVE information will automatically be added in the
-:ref:`ref-classes-cve-check` or :ref:`ref-classes-vex` report.
+``cve-check`` or :ref:`ref-classes-vex` report.
 
 ``improve_kernel_cve_report.py``
 --------------------------------
@@ -402,7 +402,7 @@ CVEs by analyzing the files used to build the kernel. The script is decoupled fr
 the build and can be run outside of the :term:`BitBake` environment.
 
 The script uses the output from the :ref:`ref-classes-vex` or
-:ref:`ref-classes-cve-check` class as input, together with CVE information from
+``cve-check`` class as input, together with CVE information from
 the Linux kernel CNA to enrich the ``cve-summary.json`` file with updated CVE
 information.
 

-- 
2.53.0

[PATCH v2 08/18] ref-manual/variables.rst: document the SBOM_CVE_CHECK_SHOW_WARNINGS variable

[Antonin Godard]

Added by commit 5a5162406ffe ("sbom-cve-check-common: print warnings
on unpatched CVEs") in OE-Core.

Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
---
 documentation/ref-manual/variables.rst | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/documentation/ref-manual/variables.rst b/documentation/ref-manual/variables.rst
index 0fcf81299..4341e27fc 100644
--- a/documentation/ref-manual/variables.rst
+++ b/documentation/ref-manual/variables.rst
@@ -8710,6 +8710,19 @@ system and gives an overview of their function and contents.
       -  ``both``: recipes are scanned in both their target and
          :ref:`ref-classes-native` context
 
+   :term:`SBOM_CVE_CHECK_SHOW_WARNINGS`
+      When inheriting the :ref:`ref-classes-sbom-cve-check` class, this
+      variable controls whether to show warnings when CVEs with the
+      ``Unpatched`` status are found. Example output:
+
+      .. code-block:: text
+
+         WARNING: core-image-minimal-1.0-r0 do_sbom_cve_check: glibc-2.43+git: Found unpatched CVEs: CVE-2010-4756
+
+      Set to "1" to show the warnings, "0" otherwise.
+
+      See :doc:`/security-manual/vulnerabilities` for more information.
+
    :term:`SDK_ARCH`
       The target architecture for the SDK. Typically, you do not directly
       set this variable. Instead, use :term:`SDKMACHINE`.

-- 
2.53.0

[PATCH v2 09/18] security-manual/vulnerabilities.rst: require Upstream-Status, not recommend

[Antonin Godard]

We want the Upstream-Status in any case, even if the status turns to be
something like "oe-specific". So explicitly require it here.

Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
---
 documentation/security-manual/vulnerabilities.rst | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/documentation/security-manual/vulnerabilities.rst b/documentation/security-manual/vulnerabilities.rst
index 983e1548c..6121d4d7d 100644
--- a/documentation/security-manual/vulnerabilities.rst
+++ b/documentation/security-manual/vulnerabilities.rst
@@ -234,7 +234,7 @@ the format::
 
    CVE: CVE-2022-3341
 
-It is also recommended to add the ``Upstream-Status:`` tag with a link
+It is also required to add the ``Upstream-Status:`` tag with a link
 to the original patch and sign-off by people working on the backport.
 If there are any modifications to the original patch, note them in
 the ``Comments:`` tag.

-- 
2.53.0

[PATCH v2 10/18] security-manual/vulnerabilities.rst: refresh the document after cve-check removal

[Antonin Godard]

The cve-check class was removed with 00de455f8d3a ("classes/cve-check:
remove class") in OE-Core. The sbom-cve-check class replaces it. And
while it can generate the same report (with the same format), the
vulnerabilities document needed an update to reflect the changes.

Notable differences:

- The output report has a different name (but same format)
- There is also an enriched SPDX report containing the vulnerabilities.
  We do not go in details about this one as this is tied to the SPDX
  specification, and much more complicated.
- The sbom-cve-check does not produce warnings when Unpatched CVEs are
  found.
- The implementation details is removed as this is part of the
  sbom-cve-check documentation (add a link to it instead).

Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
---
 documentation/security-manual/vulnerabilities.rst | 219 ++++++++++------------
 1 file changed, 100 insertions(+), 119 deletions(-)

diff --git a/documentation/security-manual/vulnerabilities.rst b/documentation/security-manual/vulnerabilities.rst
index 6121d4d7d..38fbd2c7e 100644
--- a/documentation/security-manual/vulnerabilities.rst
+++ b/documentation/security-manual/vulnerabilities.rst
@@ -27,125 +27,137 @@ patches to fix them, see ":doc:`/contributor-guide/submit-changes`" for details.
 Vulnerability check at build time
 =================================
 
-To enable a check for CVE security vulnerabilities using
-``cve-check`` in the specific image or target you are building,
-add the following setting to your configuration::
+To enable a check for CVE security vulnerabilities in the specific image or
+target you are building, run the following command from your :term:`Build
+Directory`:
 
-   INHERIT += "cve-check"
+.. code-block:: console
 
-The CVE database contains some old incomplete entries which have been
-deemed not to impact :term:`OpenEmbedded-Core (OE-Core)`. These CVE entries can be excluded from the
-check using build configuration::
+   $ bitbake-config-build enable-fragment core/yocto/sbom-cve-check
+
+Or add the following statement to a :term:`configuration file`::
+
+   OE_FRAGMENTS += "core/yocto/sbom-cve-check"
+
+This will enable the :ref:`ref-classes-sbom-cve-check` class and set the
+recommended settings to use it.
+
+The CVE database contains some old incomplete entries which have been deemed not
+to impact :term:`OpenEmbedded-Core (OE-Core)`. These CVE entries can be excluded
+from the check by adding the following statement::
 
    include conf/distro/include/cve-extra-exclusions.inc
 
-With this CVE check enabled, BitBake build will try to map each compiled software component
-recipe name and version information to the CVE database and generate recipe and
-image specific reports. These reports will contain:
+With the :ref:`ref-fragments-core-yocto-sbom-cve-check` fragment enabled, the
+:term:`BitBake` build of an image will try to map each compiled software
+component recipe name and version information to the CVE database and generate
+reports in the deployment directory (:term:`DEPLOY_DIR_IMAGE`), one of which
+being: ``tmp/deploy/images/<machine>/<image-name>-<machine>.rootfs.sbom-cve-check.yocto.json``,
+a report containing:
 
--  metadata about the software component like names and versions
+   -  Metadata about the software component like names and versions
+   -  Metadata about the CVE issue such as description and NVD link
+   -  For each software component, a list of CVEs which are possibly impacting this version
+   -  Status of each CVE: ``Patched``, ``Unpatched`` or ``Ignored``
 
--  metadata about the CVE issue such as description and NVD link
+.. note::
 
--  for each software component, a list of CVEs which are possibly impacting this version
+   Another report named ``<image-name>-<machine>.rootfs.sbom-cve-check.spdx.json``
+   is also generated: this is the enriched :term:`SPDX` file of the image
+   containing the same information contained in the previous point, and a lot
+   more metadata information on the packages included in the image. For more
+   information on :term:`SPDX`, see the :doc:`/dev-manual/sbom` section of the
+   Yocto Project Development Tasks Manual.
 
--  status of each CVE: ``Patched``, ``Unpatched`` or ``Ignored``
+Each item in the ``"package"`` list corresponds to a package installed on the
+built image. Each of these packages contain a number of CVE entries under the
+``"issue"`` sub-list. These CVE can have the following statuses:
 
-The status ``Patched`` means that a patch file to address the security issue has been
-applied. ``Unpatched`` status means that no patches to address the issue have been
-applied and that the issue needs to be investigated. ``Ignored`` means that after
-analysis, it has been deemed to ignore the issue as it for example affects
-the software component on a different operating system platform.
+-  ``Patched`` means that a patch file to address the security issue
+   has been applied.
 
-By default, no NVD API key is used to retrieve data from the CVE database, which
-results in larger delays between NVD API requests. See the ``NVDCVE_API_KEY``
-documentation on how to request and set a NVD API key.
+-  ``Unpatched`` means that no patches to address the issue have been
+   applied and that the issue needs to be investigated.
 
-After a build with CVE check enabled, reports for each compiled source recipe will be
-found in ``build/tmp/deploy/cve``.
+-  ``Ignored`` means that after analysis, it has been deemed to ignore the issue
+   as it for example affects the software component on a different operating
+   system platform.
 
-For example the CVE check report for the ``flex-native`` recipe looks like::
+For example, the report for the ``glibc`` package looks like this (simplified):
+
+.. code-block:: json
 
-   $ cat ./tmp/deploy/cve/flex-native_cve.json
    {
      "version": "1",
      "package": [
        {
-         "name": "flex-native",
-         "layer": "meta",
-         "version": "2.6.4",
+         "name": "glibc",
+         "layer": "core",
+         "version": "2.43+git",
          "products": [
            {
-             "product": "flex",
-             "cvesInRecord": "No"
-           },
-           {
-             "product": "flex",
+             "product": "glibc",
              "cvesInRecord": "Yes"
            }
          ],
          "issue": [
            {
-             "id": "CVE-2006-0459",
-             "status": "Patched",
-             "link": "https://nvd.nist.gov/vuln/detail/CVE-2006-0459",
-             "summary": "flex.skl in Will Estes and John Millaway Fast Lexical Analyzer Generator (flex) before 2.5.33 does not allocate enough memory for grammars containing (1) REJECT statements or (2) trailing context rules, which causes flex to generate code that contains a buffer overflow that might allow context-dependent attackers to execute arbitrary code.",
-             "scorev2": "7.5",
+             "id": "CVE-2010-4756",
+             "status": "Unpatched",
+             "link": "https://nvd.nist.gov/vuln/detail/CVE-2010-4756",
+             "summary": "The glob implementation in the GNU C Library (aka glibc or libc6) allows remote authenticated users to cause a denial of service (CPU and memory consumption) via crafted glob expressions that do not match any pathnames, as demonstrated by glob expressions in STAT commands to an FTP daemon, a different vulnerability than CVE-2010-2632.",
+             "scorev2": "4.0",
              "scorev3": "0.0",
              "scorev4": "0.0",
-             "modified": "2024-11-21T00:06Z",
+             "modified": "2025-11-03T22:15:41.000",
              "vector": "NETWORK",
-             "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
-             "detail": "version-not-in-range"
+             "vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P",
+             "detail": "no-version-ranges",
+             "description": "Check package version"
            },
            {
-             "id": "CVE-2016-6354",
+             "id": "CVE-2018-6551",
              "status": "Patched",
-             "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-6354",
-             "summary": "Heap-based buffer overflow in the yy_get_next_buffer function in Flex before 2.6.1 might allow context-dependent attackers to cause a denial of service or possibly execute arbitrary code via vectors involving num_to_read.",
+             "link": "https://nvd.nist.gov/vuln/detail/CVE-2018-6551",
+             "summary": "The malloc implementation in the GNU C Library (aka glibc or libc6), from version 2.24 to 2.26 on powerpc, and only in version 2.26 on i386, did not properly handle malloc calls with arguments close to SIZE_MAX and could return a pointer to a heap region that is smaller than requested, eventually leading to heap corruption.",
              "scorev2": "7.5",
              "scorev3": "9.8",
              "scorev4": "0.0",
-             "modified": "2024-11-21T02:55Z",
+             "modified": "2024-11-21T04:10:53.000",
              "vector": "NETWORK",
-             "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
+             "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
              "detail": "version-not-in-range"
            },
            {
-             "id": "CVE-2019-6293",
+             "id": "CVE-2019-1010022",
              "status": "Ignored",
-             "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-6293",
-             "summary": "An issue was discovered in the function mark_beginning_as_normal in nfa.c in flex 2.6.4. There is a stack exhaustion problem caused by the mark_beginning_as_normal function making recursive calls to itself in certain scenarios involving lots of '*' characters. Remote attackers could leverage this vulnerability to cause a denial-of-service.",
-             "scorev2": "4.3",
-             "scorev3": "5.5",
+             "link": "https://nvd.nist.gov/vuln/detail/CVE-2019-1010022",
+             "summary": "GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass stack guard protection. The component is: nptl. The attack vector is: Exploit stack buffer overflow vulnerability and use this bypass vulnerability to bypass stack guard. NOTE: Upstream comments indicate \"this is being treated as a non-security bug and no real threat.",
+             "scorev2": "7.5",
+             "scorev3": "9.8",
              "scorev4": "0.0",
-             "modified": "2024-11-21T04:46Z",
+             "modified": "2024-11-21T04:17:55.000",
              "vector": "NETWORK",
-             "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
-             "detail": "upstream-wontfix",
-             "description": "there is stack exhaustion but no bug and it is building the parser, not running it, effectively similar to a compiler ICE. Upstream no plans to address this."
+             "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
+             "description": "Upstream glibc maintainers dispute there is any issue and have no plans to address it further. this is being treated as a non-security bug and no real threat."
            }
-         ]
+         ],
+         "cpes": ["cpe:2.3:*:*:glibc:2.43:*:*:*:*:*:*:*"]
        }
      ]
    }
 
-For images, a summary of all recipes included in the image and their CVEs is also
-generated in the JSON format. These ``.json`` reports can be found
-in the ``tmp/deploy/images`` directory for each compiled image.
-
-At build time CVE check will also throw warnings about ``Unpatched`` CVEs::
+At build time the :ref:`ref-classes-sbom-cve-check` class will also throw warnings about
+``Unpatched`` CVEs (when :term:`SBOM_CVE_CHECK_SHOW_WARNINGS` is set to "1"):
 
-   WARNING: qemu-native-9.2.0-r0 do_cve_check: Found unpatched CVE (CVE-2023-1386)
+.. code-block:: text
 
-It is also possible to check the CVE status of individual packages as follows::
-
-   bitbake -c cve_check flex libarchive
+   WARNING: core-image-minimal-1.0-r0 do_sbom_cve_check: glibc-2.43+git: Found unpatched CVEs: CVE-2010-4756
 
 Fixing CVE product name and version mappings
 ============================================
 
-By default, ``cve-check`` uses the recipe name :term:`BPN` as CVE
+By default, :ref:`ref-classes-sbom-cve-check` uses the recipe name :term:`BPN` as CVE
 product name when querying the CVE database. If this mapping contains false positives, e.g.
 some reported CVEs are not for the software component in question, or false negatives like
 some CVEs are not found to impact the recipe when they should, then the problems can be
@@ -175,7 +187,7 @@ Fixing vulnerabilities in recipes
 
 Suppose a CVE security issue impacts a software component. In that case, it can
 be fixed by updating to a newer version, by applying a patch, or by marking it
-as patched via :term:`CVE_STATUS` variable flag. For OE-Core master
+as patched via :term:`CVE_STATUS` variable flag. For :term:`OpenEmbedded-Core (OE-Core)` master
 branches, updating to a more recent software component release with fixes is
 the best option, but patches can be applied if releases are not yet available.
 
@@ -228,7 +240,7 @@ is::
     1 file changed, 12 insertions(+), 4 deletions(-)
 
 
-For the correct operations of the ``cve-check``, it requires the CVE
+For the correct operations of :ref:`ref-classes-sbom-cve-check`, it requires the CVE
 identification in a ``CVE:`` tag of the patch file commit message using
 the format::
 
@@ -265,8 +277,8 @@ With the additional information, the header of the patch file in OE-core becomes
 A good practice is to include the CVE identifier in the patch file name, the patch file
 commit message and optionally in the recipe commit message.
 
-CVE checker will then capture this information and change the CVE status to ``Patched``
-in the generated reports.
+:ref:`ref-classes-sbom-cve-check` will then capture this information and change the CVE
+status to ``Patched`` in the generated reports.
 
 If analysis shows that the CVE issue does not impact the recipe due to configuration, platform,
 version or other reasons, the CVE can be marked as ``Ignored`` by using
@@ -282,44 +294,6 @@ to fix those issues in the CVE database (NVD in the case of
 Note that if there are many CVEs with the same status and reason, those can be
 shared by using the :term:`CVE_STATUS_GROUPS` variable.
 
-Recipes can be completely skipped by CVE check by including the recipe name in
-the :term:`CVE_CHECK_SKIP_RECIPE` variable.
-
-Implementation details
-======================
-
-Here's what the ``cve-check`` class does to find unpatched CVE IDs.
-
-First the code goes through each patch file provided by a recipe. If a valid CVE ID
-is found in the name of the file, the corresponding CVE is considered as patched.
-Don't forget that if multiple CVE IDs are found in the filename, only the last
-one is considered. Then, the code looks for ``CVE: CVE-ID`` lines in the patch
-file. The found CVE IDs are also considered as patched.
-Additionally ``CVE_STATUS`` variable flags are parsed for reasons mapped to ``Patched``
-and these are also considered as patched.
-
-Then, the code looks up all the CVE IDs in the NIST database for all the
-products defined in :term:`CVE_PRODUCT`. Then, for each found CVE:
-
--  If the package name (:term:`PN`) is part of
-   :term:`CVE_CHECK_SKIP_RECIPE`, it is considered as ``Patched``.
-
--  If the CVE ID has status ``CVE_STATUS[<CVE ID>] = "ignored"`` or if it's set to
-   any reason which is mapped to status ``Ignored`` via ``CVE_CHECK_STATUSMAP``,
-   it is  set as ``Ignored``.
-
--  If the CVE ID is part of the patched CVE for the recipe, it is
-   already considered as ``Patched``.
-
--  Otherwise, the code checks whether the recipe version (:term:`PV`)
-   is within the range of versions impacted by the CVE. If so, the CVE
-   is considered as ``Unpatched``.
-
-The CVE database is stored in :term:`DL_DIR` and can be inspected using
-``sqlite3`` command as follows::
-
-   sqlite3 downloads/CVE_CHECK2/nvd*.db .dump | grep CVE-2021-37462
-
 When analyzing CVEs, it is recommended to:
 
 -  study the latest information in `CVE database <https://nvd.nist.gov/vuln/search>`__.
@@ -335,6 +309,12 @@ When analyzing CVEs, it is recommended to:
 -  follow public `open source security mailing lists <https://oss-security.openwall.org/wiki/mailing-lists>`__ for
    discussions and advance notifications of CVE bugs and software releases with fixes.
 
+Implementation details
+======================
+
+As :ref:`ref-classes-sbom-cve-check` is an external tool, its implementation is detailed on
+the official documentation: https://sbom-cve-check.readthedocs.io/en/latest/index.html
+
 Linux kernel vulnerabilities
 ============================
 
@@ -396,15 +376,16 @@ Then the CVE information will automatically be added in the
 
 The ``openembedded-core/scripts/contrib/improve_kernel_cve_report.py`` script
 leverages CVE kernel metadata and the :term:`SPDX_INCLUDE_COMPILED_SOURCES`
-variable to update a ``cve-summary.json`` file. It reduces CVE false
-positives by 70%-80% and provide detailed responses for all kernel-related
-CVEs by analyzing the files used to build the kernel. The script is decoupled from
-the build and can be run outside of the :term:`BitBake` environment.
+variable to update an output ``.sbom-cve-check.yocto.json`` report file (see
+section :ref:`security-manual/vulnerabilities:Vulnerability check at build time`
+for details on these report files). It reduces CVE false positives by 70%-80%
+and provide detailed responses for all kernel-related CVEs by analyzing the
+files used to build the kernel. The script is decoupled from the build and
+can be run outside of the :term:`BitBake` environment.
 
-The script uses the output from the :ref:`ref-classes-vex` or
-``cve-check`` class as input, together with CVE information from
-the Linux kernel CNA to enrich the ``cve-summary.json`` file with updated CVE
-information.
+The script uses the output from the :ref:`ref-classes-vex` as input, together
+with CVE information from the Linux kernel CNA to enrich the
+report file with updated CVE information.
 
 The file name can be specified as argument. Optionally, it can also use the
 list of compiled files from the kernel :term:`SPDX` to ignore CVEs that are
@@ -465,7 +446,7 @@ the first two examples, using the old cve-summary.json.
       $ python3 openembedded-core/scripts/contrib/improve_kernel_cve_report.py \
          --spdx tmp/deploy/spdx/3.0.1/qemux86_64/recipes/recipe-linux-yocto.spdx.json \
          --datadir ~/vulns \
-         --old-cve-report build/tmp/log/cve/cve-summary.json
+         --old-cve-report build/tmp/deploy/images/<machine>/<image-name>-<machine>.rootfs.sbom-cve-check.yocto.json
 
 -  Example using ``--debug-sources`` file instead of SPDX kernel file:
 
@@ -474,7 +455,7 @@ the first two examples, using the old cve-summary.json.
       $ python3 openembedded-core/scripts/contrib/improve_kernel_cve_report.py \
          --debug-sources tmp/pkgdata/qemux86_64/debugsources/linux-yocto-debugsources.json.zstd \
          --datadir ~/vulns \
-         --old-cve-report build/tmp/log/cve/cve-summary.json
+         --old-cve-report build/tmp/deploy/images/<machine>/<image-name>-<machine>.rootfs.sbom-cve-check.yocto.json
 
 -  Example using the ``--kernel-version``:
 

-- 
2.53.0

[PATCH v2 11/18] migration-guides/migration-6.0.rst: add migration notes on cve-check removal

[Antonin Godard]

The cve-check class was removed with 00de455f8d3a ("classes/cve-check:
remove class") in OE-Core. Add migration notes to migrate from cve-check
to sbom-cve-check.

Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
---
 documentation/migration-guides/migration-6.0.rst   | 79 ++++++++++++++++++++++
 .../migration-guides/release-notes-6.0.rst         |  3 -
 2 files changed, 79 insertions(+), 3 deletions(-)

diff --git a/documentation/migration-guides/migration-6.0.rst b/documentation/migration-guides/migration-6.0.rst
index d763062da..ecb124a93 100644
--- a/documentation/migration-guides/migration-6.0.rst
+++ b/documentation/migration-guides/migration-6.0.rst
@@ -291,6 +291,81 @@ information.
 Users are advised to transition to SDPX 3.0, which is provided by the
 :ref:`ref-classes-create-spdx` class.
 
+``cve-check`` class removed
+---------------------------
+
+The ``cve-check`` class was removed and replaced by the
+:ref:`ref-classes-sbom-cve-check` class. Quoting the commit removing the class
+(:oecore_rev:`00de455f8d3aeca880129d23e8cfb7e246404699`):
+
+.. code-block:: text
+
+   It's been long known that the cve-check class in oe-core is not that
+   usable in the real world, for more details see "Future of CVE scanning
+   in Yocto"[1].  This mail proposed an alternative direction that included
+   a CVE scanning tool that can be ran both during the build and afterwards,
+   so that periodic scans of a previously build image is possible.
+
+   Last year, Bootlin wrote sbom-cve-check[2] and I compared this to my
+   proposal in "Comparing cve-check with sbom-cve-check"[3], concluding
+   that this is likely the missing piece.
+
+   Support for sbom-cve-check has been merged into oe-core, and the
+   cve-check class is now obsolete. So that we don't have to maintain it for
+   the four-year lifecycle of the Wrynose release, delete it.
+
+   This patch also deletes the database fetcher recipes, and the test cases
+   that were specific to cve-check.  Note that the oe.cve_check library
+   still exists as this is used by the SPDX classes.
+
+   [1] https://lore.kernel.org/openembedded-core/7D6E419E-A7AE-4324-966C-3552C586E452@arm.com/
+   [2] https://github.com/bootlin/sbom-cve-check
+   [3] https://lore.kernel.org/openembedded-core/2CD10DD9-FB2A-4B10-B98A-85918EB6B4B7@arm.com/
+
+Users currently using the ``cve-check`` class are advised to switch to
+:ref:`ref-classes-sbom-cve-check`:
+
+-  The following assignment::
+
+      INHERIT += "cve-check"
+
+   Should be removed and replaced by::
+
+      OE_FRAGMENTS += "core/yocto/sbom-cve-check"
+
+   This will enable the :ref:`ref-classes-sbom-cve-check` class along with the recommended
+   settings.
+
+   This will deploy two files to the deployment directory
+   (:term:`DEPLOY_DIR_IMAGE`) after building an image:
+
+   -  A file ending with ``.sbom-cve-check.yocto.json``: this is the output JSON
+      report in the same format as the one deployed by the ``cve-check`` class.
+
+   -  A file ending with ``.sbom-cve-check.spdx.json``: this is an output SPDX
+      report annonated with vulnerable CVEs.
+
+-  The ``cve-check`` class output summary file (deployed in the
+   :term:`DEPLOY_DIR_IMAGE`) ending with ``.cve.txt`` is no longer
+   deployed by default but can be added back by adding the following statement
+   to a configuration file::
+
+      SBOM_CVE_CHECK_EXPORT_VARS:append = " SBOM_CVE_CHECK_EXPORT_SUMMARY"
+
+   This will deploy a new file ending with ``.cve.txt``, which uses the same
+   format as the summary previously deployed by the ``cve-check`` class.
+
+   See the documentation of :term:`SBOM_CVE_CHECK_EXPORT_VARS` for more
+   details.
+
+-  The ``CVE_CHECK_SHOW_WARNINGS`` variable, which was used to control whether
+   the ``cve-check`` would print warning when unpatched CVEs were found, is now
+   removed and replaced by the :term:`SBOM_CVE_CHECK_SHOW_WARNINGS` variable,
+   which does the same.
+
+See the :doc:`/security-manual/vulnerabilities` section of the Yocto Project
+Security Manual for more information.
+
 :term:`CVE_PRODUCT` character escaping change
 ---------------------------------------------
 
@@ -410,6 +485,10 @@ The following recipes have been removed in this release:
    (OE-Core)` and Python 3.14 now has built-in support for zstd
    (:oecore_rev:`55061de857657ea01babc5652caa062e8d292c44`)
 
+-  ``cve-update-db-native``, ``cve-update-nvd2-native``: removed with the
+   ``cve-check`` class removal as it was the only user of these recipes.
+   (:oecore_rev:`00de455f8d3aeca880129d23e8cfb7e246404699`)
+
 Removed :term:`PACKAGECONFIG` options
 -------------------------------------
 
diff --git a/documentation/migration-guides/release-notes-6.0.rst b/documentation/migration-guides/release-notes-6.0.rst
index 31d4cdfce..9d611d70a 100644
--- a/documentation/migration-guides/release-notes-6.0.rst
+++ b/documentation/migration-guides/release-notes-6.0.rst
@@ -574,9 +574,6 @@ New Features / Enhancements in |yocto-ver|
 
 -  :ref:`ref-classes-sbom-cve-check`-related changes:
 
-   -  ``cve-update-nvd2-native``: Use maximum CVSS score when extracting it from
-      multiple sources (:oecore_rev:`4f6192f3165de0bc2499e045607c7e7ffd878a4b`)
-
    -  Escape special characters in CPE 2.3 strings
       (:oecore_rev:`9dd9c0038907340ba08ff4c8ee06a8748c1ac00a`)
 

-- 
2.53.0

[PATCH v2 12/18] migration-guides/release-notes-6.0.rst: cover recent changes

[Antonin Godard]

Cover changes between 00de455f8d3a ("classes/cve-check: remove class")
and 9a83f0878b6b ("busybox: fix for CVE-2026-26157, CVE-2026-26158") in
OE-Core. There were no changes to BitBake and meta-yocto since the last
update of these release notes.

Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
---
 .../migration-guides/release-notes-6.0.rst         | 31 ++++++++++++++++++----
 1 file changed, 26 insertions(+), 5 deletions(-)

diff --git a/documentation/migration-guides/release-notes-6.0.rst b/documentation/migration-guides/release-notes-6.0.rst
index 9d611d70a..524a1a199 100644
--- a/documentation/migration-guides/release-notes-6.0.rst
+++ b/documentation/migration-guides/release-notes-6.0.rst
@@ -237,8 +237,6 @@ New Features / Enhancements in |yocto-ver|
       in the default distro setup (appearing as ``nodistro`` :term:`DISTRO`)
       (:oecore_rev:`175fcf9fad699dd122680d3f6961af9bf8487046`)
 
--  Architecture-specific changes:
-
 -  QEMU / ``runqemu`` changes:
 
    -  ``qemuboot```: Make the tap interface nameserver configurable through
@@ -289,6 +287,9 @@ New Features / Enhancements in |yocto-ver|
    -  Enable dynamic LLVM linking by default
       (:oecore_rev:`d0671c3dad87a063b3a41dd07cde89b5684e692c`)
 
+   -  Enable fully static linking when :term:`TCLIBC` is set to ``musl``
+      (:oecore_rev:`75409c60e9e63fdcbb9d4f54130052991362ec08`)
+
 -  Wic Image Creator changes:
 
    -  ``wic/engine``: Fix copying directories into wic image with ``ext*``
@@ -297,7 +298,13 @@ New Features / Enhancements in |yocto-ver|
    -  Re-implement sector-size support
       (:oecore_rev:`b50d6debf7baa555fbfb3521c4f952675bba2d37`)
 
--  SDK-related changes:
+   -  The Wic tool is now maintained in a separate project, no longer part of
+      :term:`OpenEmbedded-Core (OE-Core)`: :yocto_git:`/wic/`
+
+   -  A new ``wicenv`` type can be added to :term:`IMAGE_FSTYPES` to place the
+      ``.env`` file generate by Wic in the deployment directory
+      (:term:`DEPLOY_DIR_IMAGE`)
+      (:oecore_rev:`e4d49702f21fb75444d58f419432649a04e351c9`)
 
 -  Testing-related changes:
 
@@ -374,6 +381,9 @@ New Features / Enhancements in |yocto-ver|
       -  Update data if CVE exists (:oecore_rev:`9ea6d9209b95f8d31975d71315fb52343e6aa729`)
       -  Validate that cve details field exists (:oecore_rev:`80ff4903ea1b839f9cd9393b314c3adfbb80b765`)
 
+   -  ``oe-pkgdata-util``: improve the ``lookup-pkg`` error message for
+      :term:`RPROVIDES` packages
+      (:oecore_rev:`46ff3a8d2c18fcba87c711bb23dbdabae20eef84`)
 
 -  BitBake changes:
 
@@ -463,7 +473,9 @@ New Features / Enhancements in |yocto-ver|
       configuration options when fetching Git repositories
       (:bitbake_rev:`4c378445969853d6aff4694d937b9af47c7f7300`)
 
--  Packaging changes:
+   -  When using the ``subpath`` parameter with the Git fetcher in an
+      :term:`SRC_URI`, properly make the ``HEAD`` point to the value specified
+      in :term:`SRCREV`.
 
 -  Clang/LLVM related changes:
 
@@ -517,7 +529,6 @@ New Features / Enhancements in |yocto-ver|
       :term:`SPDX_INCLUDE_VEX` variable
       (:oecore_rev:`d999ac407c86b462134008818d5863ecb577f3c6`)
 
-
 -  ``devtool`` changes:
 
    -  ``ide-sdk``:
@@ -580,6 +591,7 @@ New Features / Enhancements in |yocto-ver|
 -  New :term:`PACKAGECONFIG` options for individual recipes:
 
    -  ``curl``: ``schannel``
+   -  ``gstreamer1.0-plugins-bad``: ``fdkaac``
    -  ``gstreamer1.0-plugins-good``: ``qt6``
    -  ``libinput``: ``lua``, ``libwacom``, ``mtdev``
    -  ``librepo``: ``sequoia``
@@ -590,6 +602,8 @@ New Features / Enhancements in |yocto-ver|
    -  ``python3``: ``freethreading`` (experimental, see
       :oecore_rev:`c56990178b31b893fbf695eaf6b67de501e9d2e9`)
    -  ``python3-cryptography``: ``legacy-openssl``
+   -  ``systemd``: ``osc-context``
+   -  ``systemtap``: ``readline``
 
 -  systemd related changes:
 
@@ -733,6 +747,13 @@ New Features / Enhancements in |yocto-ver|
    -  :ref:`ref-classes-archiver`: Don't try to preserve all attributes when
       copying files (:oecore_rev:`6e8313688fa994c82e4c846993ed8da0d1f4db0e`)
 
+   -  :ref:`ref-classes-useradd`: allow inheriting the class with only
+      :term:`USERADD_DEPENDS` set, when a recipe only depends on users/groups
+      created by another (:oecore_rev:`09a901b9874f76e665fb4ba9e537703a792011e3`)
+
+   -  ``vim``: disable `GTK+3` UI by default
+      (:oecore_rev:`a07763f03d4faacca4470e4f1f80f766ed068296`)
+
 Known Issues in |yocto-ver|
 ---------------------------
 

-- 
2.53.0

[PATCH v2 13/18] migration-guides/release-notes-6.0.rst: add license changes

[Antonin Godard]

Add license changes between yocto-5.3 and 8751ec834211
("build-appliance-image: Update to whinlatter head revisions") on
OE-Core.

Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
---
 .../migration-guides/release-notes-6.0.rst         | 30 +++++++++++++++++++---
 1 file changed, 26 insertions(+), 4 deletions(-)

diff --git a/documentation/migration-guides/release-notes-6.0.rst b/documentation/migration-guides/release-notes-6.0.rst
index 524a1a199..16cd2a8e3 100644
--- a/documentation/migration-guides/release-notes-6.0.rst
+++ b/documentation/migration-guides/release-notes-6.0.rst
@@ -764,18 +764,40 @@ Known Issues in |yocto-ver|
 Recipe License changes in |yocto-ver|
 -------------------------------------
 
+..
+   Going through commits on OE-Core filtered by License-Update:
+   git log -U0 --patch --grep "License-Update:" yocto-5.3..origin/master
+
 The following changes have been made to the :term:`LICENSE` values set by recipes:
 
 .. list-table::
    :widths: 20 40 40
    :header-rows: 1
 
-   * - Recipe
-     - Previous value
-     - New value
-   * - ``recipe name``
+   * - Recipe(s)
      - Previous value
      - New value
+   * - ``libxcrypt-compat``, ``libxcrypt``
+     - ``LGPL-2.1-only``
+     - ``LGPL-2.1-only & 0BSD & BSD-3-Clause``
+   * - ``libpcre2``
+     - ``BSD-3-Clause``
+     - ``BSD-3-Clause & BSD-2-Clause & MIT``
+   * - ``libtest-fatal-perl``
+     - ``Artistic-1.0 | GPL-1.0-or-later``
+     - ``Artistic-1.0-Perl | GPL-1.0-or-later``
+   * - ``python3-cffi``
+     - ``MIT``
+     - ``MIT-0``
+   * - ``icu``
+     - ``ICU``
+     - ``ICU & MIT``
+   * - ``iso-code``
+     - ``LGPL-2.1-only``
+     - ``LGPL-2.1-or-later``
+   * - ``ruby``
+     - ``Ruby | BSD-2-Clause | BSD-3-Clause | GPL-2.0-only | ISC | MIT``
+     - ``Ruby | BSD-2-Clause | BSD-3-Clause | GPL-2.0-only | ISC | MIT | BSL-1.0 | Apache-2.0``
 
 Security Fixes in |yocto-ver|
 -----------------------------

-- 
2.53.0

[PATCH v2 14/18] migration-guides/release-notes-6.0.rst: update CVE fixes

[Antonin Godard]

Use documentation/tools/gen-cve-release-notes to generate the array.

Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
---
 .../migration-guides/release-notes-6.0.rst         | 69 +++++++++++++++++++++-
 1 file changed, 67 insertions(+), 2 deletions(-)

diff --git a/documentation/migration-guides/release-notes-6.0.rst b/documentation/migration-guides/release-notes-6.0.rst
index 16cd2a8e3..c447292fe 100644
--- a/documentation/migration-guides/release-notes-6.0.rst
+++ b/documentation/migration-guides/release-notes-6.0.rst
@@ -802,6 +802,9 @@ The following changes have been made to the :term:`LICENSE` values set by recipe
 Security Fixes in |yocto-ver|
 -----------------------------
 
+..
+   Generated with documentation/tools/gen-cve-release-notes
+
 The following CVEs have been fixed:
 
 .. list-table::
@@ -810,8 +813,70 @@ The following CVEs have been fixed:
 
    * - Recipe
      - CVE IDs
-   * - ``recipe name``
-     - :cve_nist:`xxx-xxxx`, ...
+   * - ``avahi``
+     - :cve_nist:`2025-59529`, :cve_nist:`2026-34933`
+   * - ``binutils``
+     - :cve_nist:`2025-69644`, :cve_nist:`2025-69647`, :cve_nist:`2025-69648`, :cve_nist:`2025-69649`, :cve_nist:`2025-69650`, :cve_nist:`2025-69651`, :cve_nist:`2025-69652`, :cve_nist:`2026-3441`, :cve_nist:`2026-3442`, :cve_nist:`2026-4647`
+   * - ``binutils-cross-x86_64``
+     - :cve_nist:`2025-69644`, :cve_nist:`2025-69647`, :cve_nist:`2025-69648`, :cve_nist:`2025-69649`, :cve_nist:`2025-69650`, :cve_nist:`2025-69651`, :cve_nist:`2025-69652`, :cve_nist:`2026-3441`, :cve_nist:`2026-3442`, :cve_nist:`2026-4647`
+   * - ``binutils-testsuite``
+     - :cve_nist:`2025-69644`, :cve_nist:`2025-69647`, :cve_nist:`2025-69648`, :cve_nist:`2025-69649`, :cve_nist:`2025-69650`, :cve_nist:`2025-69651`, :cve_nist:`2025-69652`, :cve_nist:`2026-3441`, :cve_nist:`2026-3442`, :cve_nist:`2026-4647`
+   * - ``cargo``
+     - :cve_nist:`2026-39837`, :cve_nist:`2026-39839`, :cve_nist:`2026-39840`, :cve_nist:`2026-39841`
+   * - ``cups``
+     - :cve_nist:`2026-34978`, :cve_nist:`2026-34979`, :cve_nist:`2026-34980`, :cve_nist:`2026-34990`, :cve_nist:`2026-39314`, :cve_nist:`2026-39316`
+   * - ``ffmpeg``
+     - :cve_nist:`2025-69693`, :cve_nist:`2026-40962`
+   * - ``glibc``
+     - :cve_nist:`2026-4046`, :cve_nist:`2026-4437`, :cve_nist:`2026-4438`
+   * - ``go``
+     - :cve_nist:`2026-27140`, :cve_nist:`2026-27143`, :cve_nist:`2026-27144`, :cve_nist:`2026-32280`, :cve_nist:`2026-32281`, :cve_nist:`2026-32282`, :cve_nist:`2026-32283`, :cve_nist:`2026-32288`, :cve_nist:`2026-32289`
+   * - ``go-binary-native``
+     - :cve_nist:`2026-27140`, :cve_nist:`2026-27143`, :cve_nist:`2026-27144`, :cve_nist:`2026-32280`, :cve_nist:`2026-32281`, :cve_nist:`2026-32282`, :cve_nist:`2026-32283`, :cve_nist:`2026-32288`, :cve_nist:`2026-32289`
+   * - ``go-cross-x86-64-v3``
+     - :cve_nist:`2026-27140`, :cve_nist:`2026-27143`, :cve_nist:`2026-27144`, :cve_nist:`2026-32280`, :cve_nist:`2026-32281`, :cve_nist:`2026-32282`, :cve_nist:`2026-32283`, :cve_nist:`2026-32288`, :cve_nist:`2026-32289`
+   * - ``go-runtime``
+     - :cve_nist:`2026-27140`, :cve_nist:`2026-27143`, :cve_nist:`2026-27144`, :cve_nist:`2026-32280`, :cve_nist:`2026-32281`, :cve_nist:`2026-32282`, :cve_nist:`2026-32283`, :cve_nist:`2026-32288`, :cve_nist:`2026-32289`
+   * - ``gstreamer1.0``
+     - :cve_nist:`2026-2920`, :cve_nist:`2026-2921`, :cve_nist:`2026-2922`, :cve_nist:`2026-2923`, :cve_nist:`2026-3081`, :cve_nist:`2026-3082`, :cve_nist:`2026-3083`, :cve_nist:`2026-3084`, :cve_nist:`2026-3085`, :cve_nist:`2026-3086`
+   * - ``libarchive``
+     - :cve_nist:`2026-5121`
+   * - ``libexif``
+     - :cve_nist:`2026-40385`, :cve_nist:`2026-40386`
+   * - ``libinput``
+     - :cve_nist:`2026-35093`, :cve_nist:`2026-35094`
+   * - ``libpng``
+     - :cve_nist:`2026-33416`, :cve_nist:`2026-33636`
+   * - ``libsndfile1``
+     - :cve_nist:`2024-50613`, :cve_nist:`2025-52194`
+   * - ``libsoup``
+     - :cve_nist:`2026-1467`, :cve_nist:`2026-1536`, :cve_nist:`2026-1539`, :cve_nist:`2026-1801`, :cve_nist:`2026-2443`, :cve_nist:`2026-3099`, :cve_nist:`2026-3632`, :cve_nist:`2026-3633`, :cve_nist:`2026-3634`, :cve_nist:`2026-4271`, :cve_nist:`2026-5119`
+   * - ``linux-yocto``
+     - :cve_nist:`2019-14899`, :cve_nist:`2021-3714`, :cve_nist:`2021-3864`, :cve_nist:`2022-0400`, :cve_nist:`2022-1247`, :cve_nist:`2022-4543`, :cve_nist:`2023-3397`, :cve_nist:`2023-3640`, :cve_nist:`2023-4010`, :cve_nist:`2023-6238`, :cve_nist:`2023-6240`, :cve_nist:`2025-40039`, :cve_nist:`2025-40040`, :cve_nist:`2025-40082`, :cve_nist:`2025-40149`, :cve_nist:`2025-40164`, :cve_nist:`2025-40251`, :cve_nist:`2025-68211`, :cve_nist:`2025-68214`, :cve_nist:`2025-68223`, :cve_nist:`2025-68333`, :cve_nist:`2025-68340`, :cve_nist:`2025-68351`, :cve_nist:`2025-68358`, :cve_nist:`2025-68365`, :cve_nist:`2025-68725`, :cve_nist:`2025-68749`, :cve_nist:`2025-68817`, :cve_nist:`2025-68823`, :cve_nist:`2025-71071`, :cve_nist:`2025-71072`, :cve_nist:`2025-71073`, :cve_nist:`2025-71074`, :cve_nist:`2025-71075`, :cve_nist:`2025-71076`, :cve_nist:`2025-71077`, :cve_nist:`2025-71078`, :cve_nist:`2025-71079`, :cve_nist:`2025-71080`, :cve_nist:`2025-71081`, :cve_nist:`2025-71082`, :cve_nist:`2025-
 71083`, :cve_nist:`2025-71084`, :cve_nist:`2025-71085`, :cve_nist:`2025-71086`, :cve_nist:`2025-71087`, :cve_nist:`2025-71088`, :cve_nist:`2025-71089`, :cve_nist:`2025-71091`, :cve_nist:`2025-71093`, :cve_nist:`2025-71094`, :cve_nist:`2025-71095`, :cve_nist:`2025-71096`, :cve_nist:`2025-71097`, :cve_nist:`2025-71098`, :cve_nist:`2025-71099`, :cve_nist:`2025-71100`, :cve_nist:`2025-71101`, :cve_nist:`2025-71102`, :cve_nist:`2025-71104`, :cve_nist:`2025-71105`, :cve_nist:`2025-71107`, :cve_nist:`2025-71108`, :cve_nist:`2025-71109`, :cve_nist:`2025-71111`, :cve_nist:`2025-71112`, :cve_nist:`2025-71113`, :cve_nist:`2025-71114`, :cve_nist:`2025-71115`, :cve_nist:`2025-71116`, :cve_nist:`2025-71117`, :cve_nist:`2025-71118`, :cve_nist:`2025-71119`, :cve_nist:`2025-71120`, :cve_nist:`2025-71121`, :cve_nist:`2025-71122`, :cve_nist:`2025-71124`, :cve_nist:`2025-71125`, :cve_nist:`2025-71126`, :cve_nist:`2025-71127`, :cve_nist:`2025-71128`, :cve_nist:`2025-71129`, :cve_nist:`2025-71130`, :cve_
 nist:`2025-71131`, :cve_nist:`2025-71132`, :cve_nist:`2025-71133`, :cve_nist:`2025-71134`, :cve_nist:`2025-71135`, :cve_nist:`2025-71136`, :cve_nist:`2025-71137`, :cve_nist:`2025-71138`, :cve_nist:`2025-71141`, :cve_nist:`2025-71142`, :cve_nist:`2025-71143`, :cve_nist:`2025-71147`, :cve_nist:`2025-71148`, :cve_nist:`2025-71149`, :cve_nist:`2025-71150`, :cve_nist:`2025-71151`, :cve_nist:`2025-71152`, :cve_nist:`2025-71153`, :cve_nist:`2025-71154`, :cve_nist:`2025-71156`, :cve_nist:`2025-71157`, :cve_nist:`2025-71158`, :cve_nist:`2025-71160`, :cve_nist:`2025-71161`, :cve_nist:`2025-71162`, :cve_nist:`2025-71163`, :cve_nist:`2025-71180`, :cve_nist:`2025-71182`, :cve_nist:`2025-71183`, :cve_nist:`2025-71184`, :cve_nist:`2025-71185`, :cve_nist:`2025-71186`, :cve_nist:`2025-71187`, :cve_nist:`2025-71188`, :cve_nist:`2025-71189`, :cve_nist:`2025-71190`, :cve_nist:`2025-71191`, :cve_nist:`2025-71200`, :cve_nist:`2025-71201`, :cve_nist:`2025-71202`, :cve_nist:`2025-71203`, :cve_nist:`2025-71
 204`, :cve_nist:`2025-71220`, :cve_nist:`2025-71221`, :cve_nist:`2025-71222`, :cve_nist:`2025-71223`, :cve_nist:`2025-71225`, :cve_nist:`2025-71227`, :cve_nist:`2025-71229`, :cve_nist:`2025-71230`, :cve_nist:`2025-71231`, :cve_nist:`2025-71232`, :cve_nist:`2025-71233`, :cve_nist:`2025-71234`, :cve_nist:`2025-71235`, :cve_nist:`2025-71236`, :cve_nist:`2025-71237`, :cve_nist:`2025-71238`, :cve_nist:`2026-22976`, :cve_nist:`2026-22977`, :cve_nist:`2026-22978`, :cve_nist:`2026-22979`, :cve_nist:`2026-22980`, :cve_nist:`2026-22981`, :cve_nist:`2026-22982`, :cve_nist:`2026-22984`, :cve_nist:`2026-22985`, :cve_nist:`2026-22986`, :cve_nist:`2026-22989`, :cve_nist:`2026-22990`, :cve_nist:`2026-22991`, :cve_nist:`2026-22992`, :cve_nist:`2026-22993`, :cve_nist:`2026-22994`, :cve_nist:`2026-22996`, :cve_nist:`2026-22997`, :cve_nist:`2026-22998`, :cve_nist:`2026-22999`, :cve_nist:`2026-23000`, :cve_nist:`2026-23001`, :cve_nist:`2026-23002`, :cve_nist:`2026-23003`, :cve_nist:`2026-23005`, :cve_ni
 st:`2026-23006`, :cve_nist:`2026-23007`, :cve_nist:`2026-23008`, :cve_nist:`2026-23009`, :cve_nist:`2026-23010`, :cve_nist:`2026-23011`, :cve_nist:`2026-23013`, :cve_nist:`2026-23015`, :cve_nist:`2026-23017`, :cve_nist:`2026-23018`, :cve_nist:`2026-23019`, :cve_nist:`2026-23020`, :cve_nist:`2026-23021`, :cve_nist:`2026-23023`, :cve_nist:`2026-23025`, :cve_nist:`2026-23026`, :cve_nist:`2026-23060`, :cve_nist:`2026-23061`, :cve_nist:`2026-23062`, :cve_nist:`2026-23063`, :cve_nist:`2026-23064`, :cve_nist:`2026-23065`, :cve_nist:`2026-23066`, :cve_nist:`2026-23067`, :cve_nist:`2026-23068`, :cve_nist:`2026-23069`, :cve_nist:`2026-23070`, :cve_nist:`2026-23071`, :cve_nist:`2026-23072`, :cve_nist:`2026-23073`, :cve_nist:`2026-23074`, :cve_nist:`2026-23075`, :cve_nist:`2026-23076`, :cve_nist:`2026-23077`, :cve_nist:`2026-23078`, :cve_nist:`2026-23080`, :cve_nist:`2026-23081`, :cve_nist:`2026-23083`, :cve_nist:`2026-23084`, :cve_nist:`2026-23085`, :cve_nist:`2026-23086`, :cve_nist:`2026-2308
 7`, :cve_nist:`2026-23088`, :cve_nist:`2026-23089`, :cve_nist:`2026-23090`, :cve_nist:`2026-23091`, :cve_nist:`2026-23092`, :cve_nist:`2026-23093`, :cve_nist:`2026-23094`, :cve_nist:`2026-23095`, :cve_nist:`2026-23096`, :cve_nist:`2026-23097`, :cve_nist:`2026-23098`, :cve_nist:`2026-23099`, :cve_nist:`2026-23100`, :cve_nist:`2026-23101`, :cve_nist:`2026-23102`, :cve_nist:`2026-23103`, :cve_nist:`2026-23104`, :cve_nist:`2026-23105`, :cve_nist:`2026-23107`, :cve_nist:`2026-23108`, :cve_nist:`2026-23109`, :cve_nist:`2026-23110`, :cve_nist:`2026-23111`, :cve_nist:`2026-23112`, :cve_nist:`2026-23113`, :cve_nist:`2026-23114`, :cve_nist:`2026-23115`, :cve_nist:`2026-23116`, :cve_nist:`2026-23118`, :cve_nist:`2026-23119`, :cve_nist:`2026-23120`, :cve_nist:`2026-23121`, :cve_nist:`2026-23122`, :cve_nist:`2026-23123`, :cve_nist:`2026-23124`, :cve_nist:`2026-23125`, :cve_nist:`2026-23126`, :cve_nist:`2026-23128`, :cve_nist:`2026-23129`, :cve_nist:`2026-23130`, :cve_nist:`2026-23131`, :cve_nist
 :`2026-23133`, :cve_nist:`2026-23135`, :cve_nist:`2026-23136`, :cve_nist:`2026-23137`, :cve_nist:`2026-23138`, :cve_nist:`2026-23139`, :cve_nist:`2026-23140`, :cve_nist:`2026-23141`, :cve_nist:`2026-23142`, :cve_nist:`2026-23143`, :cve_nist:`2026-23144`, :cve_nist:`2026-23146`, :cve_nist:`2026-23147`, :cve_nist:`2026-23148`, :cve_nist:`2026-23150`, :cve_nist:`2026-23151`, :cve_nist:`2026-23152`, :cve_nist:`2026-23154`, :cve_nist:`2026-23156`, :cve_nist:`2026-23157`, :cve_nist:`2026-23158`, :cve_nist:`2026-23160`, :cve_nist:`2026-23161`, :cve_nist:`2026-23163`, :cve_nist:`2026-23164`, :cve_nist:`2026-23166`, :cve_nist:`2026-23167`, :cve_nist:`2026-23168`, :cve_nist:`2026-23169`, :cve_nist:`2026-23170`, :cve_nist:`2026-23171`, :cve_nist:`2026-23172`, :cve_nist:`2026-23173`, :cve_nist:`2026-23186`, :cve_nist:`2026-23187`, :cve_nist:`2026-23188`, :cve_nist:`2026-23190`, :cve_nist:`2026-23191`, :cve_nist:`2026-23192`, :cve_nist:`2026-23193`, :cve_nist:`2026-23195`, :cve_nist:`2026-23196`
 , :cve_nist:`2026-23197`, :cve_nist:`2026-23198`, :cve_nist:`2026-23199`, :cve_nist:`2026-23201`, :cve_nist:`2026-23204`, :cve_nist:`2026-23205`, :cve_nist:`2026-23206`, :cve_nist:`2026-23208`, :cve_nist:`2026-23209`, :cve_nist:`2026-23210`, :cve_nist:`2026-23212`, :cve_nist:`2026-23213`, :cve_nist:`2026-23214`, :cve_nist:`2026-23215`, :cve_nist:`2026-23216`, :cve_nist:`2026-23217`, :cve_nist:`2026-23219`, :cve_nist:`2026-23220`, :cve_nist:`2026-23221`, :cve_nist:`2026-23222`, :cve_nist:`2026-23223`, :cve_nist:`2026-23224`, :cve_nist:`2026-23226`, :cve_nist:`2026-23227`, :cve_nist:`2026-23228`, :cve_nist:`2026-23229`, :cve_nist:`2026-23230`, :cve_nist:`2026-23231`, :cve_nist:`2026-23233`, :cve_nist:`2026-23234`, :cve_nist:`2026-23235`, :cve_nist:`2026-23236`, :cve_nist:`2026-23237`, :cve_nist:`2026-23238`
+   * - ``mesa``
+     - :cve_nist:`2026-40393`
+   * - ``nfs-utils``
+     - :cve_nist:`2025-12801`
+   * - ``nghttp2``
+     - :cve_nist:`2026-27135`
+   * - ``openssh``
+     - :cve_nist:`2026-35414`
+   * - ``python3``
+     - :cve_nist:`2026-4519`
+   * - ``python3-requests``
+     - :cve_nist:`2026-25645`
+   * - ``qemu``
+     - :cve_nist:`2024-6519`
+   * - ``qemu-system-native``
+     - :cve_nist:`2024-6519`
+   * - ``sqlite3``
+     - :cve_nist:`2025-70873`
+   * - ``systemd-boot``
+     - :cve_nist:`2026-29111`, :cve_nist:`2026-40226`
+   * - ``vim``
+     - :cve_nist:`2026-28417`, :cve_nist:`2026-28418`, :cve_nist:`2026-28419`, :cve_nist:`2026-28420`, :cve_nist:`2026-28421`, :cve_nist:`2026-28422`, :cve_nist:`2026-33412`, :cve_nist:`2026-34714`, :cve_nist:`2026-35177`
+   * - ``xz``
+     - :cve_nist:`2026-34743`
 
 Recipe Upgrades in |yocto-ver|
 ------------------------------

-- 
2.53.0

[PATCH v2 15/18] migration-guides/release-notes-6.0.rst: add recipe version changes

[Antonin Godard]

Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
---
 .../migration-guides/release-notes-6.0.rst         | 1133 +++++++++++++++++++-
 1 file changed, 1128 insertions(+), 5 deletions(-)

diff --git a/documentation/migration-guides/release-notes-6.0.rst b/documentation/migration-guides/release-notes-6.0.rst
index c447292fe..8f09223d0 100644
--- a/documentation/migration-guides/release-notes-6.0.rst
+++ b/documentation/migration-guides/release-notes-6.0.rst
@@ -881,6 +881,10 @@ The following CVEs have been fixed:
 Recipe Upgrades in |yocto-ver|
 ------------------------------
 
+..
+   Generated with https://layers.openembedded.org/layerindex/branch_comparison
+   With "rST" output selected
+
 The following recipes have been upgraded:
 
 .. list-table::
@@ -888,11 +892,1130 @@ The following recipes have been upgraded:
    :header-rows: 1
 
    * - Recipe
-     - Previous version
-     - New version
-   * - ``recipe name``
-     - Previous version
-     - New version
+     - Previous version(s)
+     - New version(s)
+   * - ``acpica``
+     - 20250807
+     - 20251212
+   * - ``adwaita-icon-theme``
+     - 48.0
+     - 49.0
+   * - ``alsa-lib``
+     - 1.2.14
+     - 1.2.15.3
+   * - ``alsa-tools``
+     - 1.2.14
+     - 1.2.15
+   * - ``alsa-ucm-conf``
+     - 1.2.14
+     - 1.2.15.3
+   * - ``alsa-utils``
+     - 1.2.14
+     - 1.2.15.2
+   * - ``appstream``
+     - 1.0.6
+     - 1.1.2
+   * - ``aspell``
+     - 0.60.8.1
+     - 0.60.8.2
+   * - ``at-spi2-core``
+     - 2.56.4
+     - 2.60.0
+   * - ``autoconf``
+     - 2.72
+     - 2.73
+   * - ``barebox``
+     - 2025.09.3
+     - 2026.04.0
+   * - ``barebox-tools``
+     - 2025.09.3
+     - 2026.04.0
+   * - ``base-passwd``
+     - 3.6.7
+     - 3.6.8
+   * - ``bash-completion``
+     - 2.16.0
+     - 2.17.0
+   * - ``bind``
+     - 9.20.15
+     - 9.20.22
+   * - ``binutils``
+     - 2.45.1+git
+     - 2.46
+   * - ``binutils-cross``
+     - 2.45.1+git
+     - 2.46
+   * - ``binutils-cross-canadian``
+     - 2.45.1+git
+     - 2.46
+   * - ``binutils-crosssdk``
+     - 2.45.1+git
+     - 2.46
+   * - ``binutils-testsuite``
+     - 2.45.1+git
+     - 2.46
+   * - ``bluez5``
+     - 5.84
+     - 5.86
+   * - ``boost``
+     - 1.89.0
+     - 1.90.0
+   * - ``boost-build-native``
+     - 1.89.0
+     - 1.90.0
+   * - ``btrfs-tools``
+     - 6.16
+     - 6.19.1
+   * - ``cargo``
+     - 1.90.0
+     - 1.94.1
+   * - ``cargo-c``
+     - 0.10.16+cargo-0.91.0
+     - 0.10.21+cargo-0.95.0
+   * - ``ccache``
+     - 4.12.3
+     - 4.13.2
+   * - ``clang``
+     - 21.1.7
+     - 22.1.3
+   * - ``cmake``
+     - 4.1.2
+     - 4.3.1
+   * - ``cmake-native``
+     - 4.1.2
+     - 4.3.1
+   * - ``compiler-rt``
+     - 21.1.7
+     - 22.1.3
+   * - ``compiler-rt-sanitizers``
+     - 21.1.7
+     - 22.1.3
+   * - ``connman``
+     - 1.45
+     - 2.0
+   * - ``coreutils``
+     - 9.7
+     - 9.10
+   * - ``createrepo-c``
+     - 1.2.1
+     - 1.2.3
+   * - ``cross-localedef-native``
+     - 2.42+git
+     - 2.43+git
+   * - ``cryptodev-linux``
+     - 1.14 (135cbff90af2…)
+     - 1.14 (08644db02d43…)
+   * - ``cryptodev-module``
+     - 1.14 (135cbff90af2…)
+     - 1.14 (08644db02d43…)
+   * - ``cryptodev-tests``
+     - 1.14 (135cbff90af2…)
+     - 1.14 (08644db02d43…)
+   * - ``cups``
+     - 2.4.15
+     - 2.4.16
+   * - ``curl``
+     - 8.17.0
+     - 8.19.0
+   * - ``dhcpcd``
+     - 10.2.4
+     - 10.3.0
+   * - ``diffoscope``
+     - 306
+     - 314
+   * - ``dmidecode``
+     - 3.6
+     - 3.7
+   * - ``dnf``
+     - 4.23.0
+     - 4.24.0
+   * - ``dos2unix``
+     - 7.5.2
+     - 7.5.4
+   * - ``dpkg``
+     - 1.22.21
+     - 1.23.7
+   * - ``dropbear``
+     - 2025.88
+     - 2025.89
+   * - ``e2fsprogs``
+     - 1.47.3
+     - 1.47.4
+   * - ``ed``
+     - 1.22.2
+     - 1.22.5
+   * - ``elfutils``
+     - 0.193
+     - 0.194
+   * - ``ell``
+     - 0.80
+     - 0.83
+   * - ``enchant2``
+     - 2.8.14
+     - 2.8.15
+   * - ``epiphany``
+     - 48.5
+     - 49.7
+   * - ``erofs-utils``
+     - 1.8.10
+     - 1.9.1
+   * - ``ethtool``
+     - 6.15
+     - 6.19
+   * - ``expat``
+     - 2.7.4
+     - 2.7.5
+   * - ``fastfloat``
+     - 8.0.2
+     - 8.2.4
+   * - ``ffmpeg``
+     - 8.0
+     - 8.0.1
+   * - ``file``
+     - 5.46
+     - 5.47
+   * - ``fmt``
+     - 11.2.0
+     - 12.1.0
+   * - ``font-alias``
+     - 1.0.5
+     - 1.0.6
+   * - ``freetype``
+     - 2.13.3
+     - 2.14.3
+   * - ``gawk``
+     - 5.3.2
+     - 5.4.0
+   * - ``gdb``
+     - 16.3
+     - 17.1
+   * - ``gdb-cross``
+     - 16.3
+     - 17.1
+   * - ``gdb-cross-canadian``
+     - 16.3
+     - 17.1
+   * - ``gdk-pixbuf``
+     - 2.42.12
+     - 2.44.5
+   * - ``gettext``
+     - 0.26
+     - 1.0
+   * - ``gettext-minimal-native``
+     - 0.26
+     - 1.0
+   * - ``gi-docgen``
+     - 2025.4
+     - 2026.1
+   * - ``git``
+     - 2.51.0
+     - 2.53.0
+   * - ``glew``
+     - 2.2.0
+     - 2.3.1
+   * - ``glib-2.0``
+     - 2.86.4
+     - 2.88.0
+   * - ``glib-2.0-initial``
+     - 2.86.4
+     - 2.88.0
+   * - ``glibc``
+     - 2.42+git
+     - 2.43+git
+   * - ``glibc-locale``
+     - 2.42+git
+     - 2.43+git
+   * - ``glibc-mtrace``
+     - 2.42+git
+     - 2.43+git
+   * - ``glibc-scripts``
+     - 2.42+git
+     - 2.43+git
+   * - ``glibc-testsuite``
+     - 2.42+git
+     - 2.43+git
+   * - ``glslang``
+     - 1.4.328.1
+     - 1.4.341.0
+   * - ``gn``
+     - 0+git (81b24e01531e…)
+     - 0+git (9d19a7870add…)
+   * - ``gnu-efi``
+     - 4.0.2
+     - 4.0.4
+   * - ``gnupg``
+     - 2.5.11
+     - 2.5.17
+   * - ``gnutls``
+     - 3.8.10
+     - 3.8.12
+   * - ``go``
+     - 1.25.9
+     - 1.26.2
+   * - ``go-binary-native``
+     - 1.25.9
+     - 1.26.2
+   * - ``go-cross-canadian``
+     - 1.25.9
+     - 1.26.2
+   * - ``go-cross-core2-32``
+     - 1.25.9
+     - 1.26.2
+   * - ``go-crosssdk``
+     - 1.25.9
+     - 1.26.2
+   * - ``go-helloworld``
+     - 0.1 (8b405629c4a5…)
+     - 0.1 (7f05d217867b…)
+   * - ``go-runtime``
+     - 1.25.9
+     - 1.26.2
+   * - ``gobject-introspection``
+     - 1.84.0
+     - 1.86.0
+   * - ``groff``
+     - 1.23.0
+     - 1.24.0
+   * - ``grub``
+     - 2.12
+     - 2.14
+   * - ``grub-efi``
+     - 2.12
+     - 2.14
+   * - ``gsettings-desktop-schemas``
+     - 48.0
+     - 50.0
+   * - ``gst-devtools``
+     - 1.26.7
+     - 1.28.2
+   * - ``gst-examples``
+     - 1.26.7
+     - 1.28.2
+   * - ``gstreamer1.0``
+     - 1.26.7
+     - 1.28.2
+   * - ``gstreamer1.0-libav``
+     - 1.26.7
+     - 1.28.2
+   * - ``gstreamer1.0-plugins-bad``
+     - 1.26.7
+     - 1.28.2
+   * - ``gstreamer1.0-plugins-base``
+     - 1.26.7
+     - 1.28.2
+   * - ``gstreamer1.0-plugins-good``
+     - 1.26.7
+     - 1.28.2
+   * - ``gstreamer1.0-plugins-ugly``
+     - 1.26.7
+     - 1.28.2
+   * - ``gstreamer1.0-python``
+     - 1.26.7
+     - 1.28.2
+   * - ``gstreamer1.0-rtsp-server``
+     - 1.26.7
+     - 1.28.2
+   * - ``gtk-doc``
+     - 1.34.0
+     - 1.35.1
+   * - ``gtk4``
+     - 4.18.6
+     - 4.22.1
+   * - ``harfbuzz``
+     - 11.4.5
+     - 12.3.2
+   * - ``hwdata``
+     - 0.399
+     - 0.405
+   * - ``hwlatdetect``
+     - 2.9
+     - 2.10
+   * - ``icu``
+     - 77-1
+     - 78.3
+   * - ``ifupdown``
+     - 0.8.44
+     - 0.8.45
+   * - ``igt-gpu-tools``
+     - 2.1
+     - 2.3
+   * - ``inetutils``
+     - 2.6
+     - 2.7
+   * - ``iproute2``
+     - 6.16.0
+     - 6.19.0
+   * - ``iptables``
+     - 1.8.11
+     - 1.8.13
+   * - ``iso-codes``
+     - 4.18.0
+     - 4.20.1
+   * - ``kbd``
+     - 2.8.0
+     - 2.9.0
+   * - ``kea``
+     - 3.0.1
+     - 3.0.3
+   * - ``kern-tools-native``
+     - 0.3+git (f589e1df2325…)
+     - 0.3+git (a4a362d9f4f0…)
+   * - ``kexec-tools``
+     - 2.0.31
+     - 2.0.32
+   * - ``kmscube``
+     - 0.0.1+git (2c1f2646c5e5…)
+     - 0.0.1+git (f60e50e887d3…)
+   * - ``less``
+     - 679
+     - 692
+   * - ``libadwaita``
+     - 1.7.6
+     - 1.8.4
+   * - ``libarchive``
+     - 3.8.6
+     - 3.8.7
+   * - ``libatomic-ops``
+     - 7.8.4
+     - 7.10.0
+   * - ``libcap``
+     - 2.76
+     - 2.77
+   * - ``libcap-ng``
+     - 0.8.5
+     - 0.9.1
+   * - ``libcap-ng-python``
+     - 0.8.5
+     - 0.9.1
+   * - ``libclc``
+     - 21.1.7
+     - 22.1.3
+   * - ``libcomps``
+     - 0.1.22
+     - 0.1.24
+   * - ``libcxx``
+     - 21.1.7
+     - 22.1.3
+   * - ``libdisplay-info``
+     - 0.2.0
+     - 0.3.0
+   * - ``libdnf``
+     - 0.74.0
+     - 0.75.0
+   * - ``libdrm``
+     - 2.4.125
+     - 2.4.131
+   * - ``libedit``
+     - 20250104-3.1
+     - 20251016-3.1
+   * - ``libevdev``
+     - 1.13.5
+     - 1.13.6
+   * - ``libexif``
+     - 0.6.25
+     - 0.6.26
+   * - ``libfontenc``
+     - 1.1.8
+     - 1.1.9
+   * - ``libgcrypt``
+     - 1.11.2
+     - 1.12.1
+   * - ``libgit2``
+     - 1.9.1
+     - 1.9.2
+   * - ``libgloss``
+     - 4.5.0+git
+     - 4.6.0+git
+   * - ``libgpg-error``
+     - 1.56
+     - 1.59
+   * - ``libinput``
+     - 1.29.1
+     - 1.30.2
+   * - ``libjpeg-turbo``
+     - 3.1.2
+     - 3.1.3
+   * - ``libksba``
+     - 1.6.7
+     - 1.6.8
+   * - ``libnl``
+     - 3.11.0
+     - 3.12.0
+   * - ``libnotify``
+     - 0.8.6
+     - 0.8.8
+   * - ``libpam``
+     - 1.7.1
+     - 1.7.2
+   * - ``libpciaccess``
+     - 0.18.1
+     - 0.19
+   * - ``libpcre2``
+     - 10.46
+     - 10.47
+   * - ``libproxy``
+     - 0.5.10
+     - 0.5.12
+   * - ``librsvg``
+     - 2.61.0
+     - 2.61.3
+   * - ``libsolv``
+     - 0.7.35
+     - 0.7.36
+   * - ``libstd-rs``
+     - 1.90.0
+     - 1.94.1
+   * - ``libtasn1``
+     - 4.20.0
+     - 4.21.0
+   * - ``libtest-fatal-perl``
+     - 0.017
+     - 0.018
+   * - ``libtirpc``
+     - 1.3.6
+     - 1.3.7
+   * - ``libtraceevent``
+     - 1.8.4
+     - 1.9.0
+   * - ``libubootenv``
+     - 0.3.6
+     - 0.3.7
+   * - ``libunistring``
+     - 1.3
+     - 1.4.2
+   * - ``liburcu``
+     - 0.15.3
+     - 0.15.6
+   * - ``libuv``
+     - 1.51.0
+     - 1.52.1
+   * - ``libva``
+     - 2.22.0
+     - 2.23.0
+   * - ``libva-initial``
+     - 2.22.0
+     - 2.23.0
+   * - ``libva-utils``
+     - 2.22.0
+     - 2.23.0
+   * - ``libx11``
+     - 1.8.12
+     - 1.8.13
+   * - ``libx11-compose-data``
+     - 1.8.4
+     - 1.8.12
+   * - ``libxcomposite``
+     - 0.4.6
+     - 0.4.7
+   * - ``libxcrypt``
+     - 4.4.38
+     - 4.5.2
+   * - ``libxcrypt-compat``
+     - 4.4.38
+     - 4.5.2
+   * - ``libxdamage``
+     - 1.1.6
+     - 1.1.7
+   * - ``libxext``
+     - 1.3.6
+     - 1.3.7
+   * - ``libxinerama``
+     - 1.1.5
+     - 1.1.6
+   * - ``libxkbcommon``
+     - 1.11.0
+     - 1.13.1
+   * - ``libxkbfile``
+     - 1.1.3
+     - 1.2.0
+   * - ``libxml2``
+     - 2.14.6
+     - 2.15.2
+   * - ``libxmu``
+     - 1.2.1
+     - 1.3.1
+   * - ``libxpm``
+     - 3.5.17
+     - 3.5.18
+   * - ``libxrandr``
+     - 1.5.4
+     - 1.5.5
+   * - ``libxslt``
+     - 1.1.43
+     - 1.1.45
+   * - ``libxvmc``
+     - 1.0.14
+     - 1.0.15
+   * - ``libxxf86vm``
+     - 1.1.6
+     - 1.1.7
+   * - ``lighttpd``
+     - 1.4.81
+     - 1.4.82
+   * - ``linux-firmware``
+     - 20251111
+     - 20260410
+   * - ``linux-libc-headers``
+     - 6.17
+     - 6.18
+   * - ``linux-yocto``
+     - 6.12.69+git, 6.16.11+git
+     - 6.18.24+git
+   * - ``linux-yocto-dev``
+     - 6.18+git
+     - 7.0+git
+   * - ``linux-yocto-rt``
+     - 6.12.69+git, 6.16.11+git
+     - 6.18.24+git
+   * - ``linux-yocto-tiny``
+     - 6.12.69+git, 6.16.11+git
+     - 6.18.24+git
+   * - ``lld``
+     - 21.1.7
+     - 22.1.3
+   * - ``lldb``
+     - 21.1.7
+     - 22.1.3
+   * - ``llvm``
+     - 21.1.7
+     - 22.1.3
+   * - ``llvm-tblgen-native``
+     - 21.1.7
+     - 22.1.3
+   * - ``lsof``
+     - 4.99.5
+     - 4.99.6
+   * - ``ltp``
+     - 20250930
+     - 20260130
+   * - ``lttng-modules``
+     - 2.14.3
+     - 2.14.4
+   * - ``lttng-tools``
+     - 2.14.0
+     - 2.14.1
+   * - ``lua``
+     - 5.4.8
+     - 5.5.0
+   * - ``lzlib``
+     - 1.15
+     - 1.16
+   * - ``m4``
+     - 1.4.20
+     - 1.4.21
+   * - ``m4-native``
+     - 1.4.20
+     - 1.4.21
+   * - ``makedumpfile``
+     - 1.7.7
+     - 1.7.8
+   * - ``man-pages``
+     - 6.15
+     - 6.17
+   * - ``mdadm``
+     - 4.4
+     - 4.6
+   * - ``mesa``
+     - 25.2.8
+     - 26.0.5
+   * - ``mesa-gl``
+     - 25.2.8
+     - 26.0.5
+   * - ``meson``
+     - 1.9.1
+     - 1.10.2
+   * - ``mpg123``
+     - 1.33.2
+     - 1.33.4
+   * - ``msmtp``
+     - 1.8.31
+     - 1.8.32
+   * - ``mtd-utils``
+     - 2.3.0
+     - 2.3.1
+   * - ``musl``
+     - 1.2.5+git
+     - 1.2.6+git
+   * - ``nasm``
+     - 2.16.03
+     - 3.01
+   * - ``ncurses``
+     - 6.5
+     - 6.6
+   * - ``newlib``
+     - 4.5.0+git
+     - 4.6.0+git
+   * - ``nfs-utils``
+     - 2.8.4
+     - 2.8.7
+   * - ``nghttp2``
+     - 1.66.0
+     - 1.68.1
+   * - ``ninja``
+     - 1.13.1
+     - 1.13.2
+   * - ``ofono``
+     - 2.18
+     - 2.19
+   * - ``openmp``
+     - 21.1.7
+     - 22.1.3
+   * - ``opensbi``
+     - 1.7
+     - 1.8.1
+   * - ``openssh``
+     - 10.2p1
+     - 10.3p1
+   * - ``opkg``
+     - 0.8.0
+     - 0.9.0
+   * - ``orc``
+     - 0.4.41
+     - 0.4.42
+   * - ``ovmf``
+     - edk2-stable202508
+     - edk2-stable202511
+   * - ``p11-kit``
+     - 0.25.5
+     - 0.26.2
+   * - ``perl``
+     - 5.40.2
+     - 5.42.0
+   * - ``perlcross``
+     - 1.6.2
+     - 1.6.4
+   * - ``picolibc``
+     - 1.8.6+git
+     - 1.8.11+git
+   * - ``picolibc-helloworld``
+     - 1.8.6+git
+     - 1.8.11+git
+   * - ``procps``
+     - 4.0.5
+     - 4.0.6
+   * - ``pseudo``
+     - 1.9.3+git
+     - 1.9.5
+   * - ``puzzles``
+     - 0.0+git (a7c7826bce5c…)
+     - 0.0+git (ecb576fb2a0a…)
+   * - ``python3``
+     - 3.13.12
+     - 3.14.4
+   * - ``python3-attrs``
+     - 25.3.0
+     - 25.4.0
+   * - ``python3-babel``
+     - 2.17.0
+     - 2.18.0
+   * - ``python3-bcrypt``
+     - 4.3.0
+     - 5.0.0
+   * - ``python3-beartype``
+     - 0.21.0
+     - 0.22.9
+   * - ``python3-build``
+     - 1.3.0
+     - 1.4.0
+   * - ``python3-calver``
+     - 2025.04.17
+     - 2025.10.20
+   * - ``python3-certifi``
+     - 2025.8.3
+     - 2026.2.25
+   * - ``python3-cffi``
+     - 1.17.1
+     - 2.0.0
+   * - ``python3-chardet``
+     - 5.2.0
+     - 6.0.0.post1
+   * - ``python3-click``
+     - 8.2.2
+     - 8.3.1
+   * - ``python3-cryptography``
+     - 45.0.7
+     - 46.0.5
+   * - ``python3-cryptography-vectors``
+     - 45.0.7
+     - 46.0.5
+   * - ``python3-cython``
+     - 3.1.3
+     - 3.2.4
+   * - ``python3-dbusmock``
+     - 0.37.0
+     - 0.38.1
+   * - ``python3-docutils``
+     - 0.22
+     - 0.22.4
+   * - ``python3-dtschema``
+     - 2025.8
+     - 2025.12
+   * - ``python3-hatchling``
+     - 1.27.0
+     - 1.29.0
+   * - ``python3-hypothesis``
+     - 6.142.2
+     - 6.151.9
+   * - ``python3-imagesize``
+     - 1.4.1
+     - 2.0.0
+   * - ``python3-iniconfig``
+     - 2.1.0
+     - 2.3.0
+   * - ``python3-jsonschema``
+     - 4.25.1
+     - 4.26.0
+   * - ``python3-markdown``
+     - 3.9
+     - 3.10.2
+   * - ``python3-markupsafe``
+     - 3.0.2
+     - 3.0.3
+   * - ``python3-maturin``
+     - 1.9.4
+     - 1.12.4
+   * - ``python3-meson-python``
+     - 0.18.0
+     - 0.19.0
+   * - ``python3-numpy``
+     - 2.3.4
+     - 2.4.3
+   * - ``python3-packaging``
+     - 25.0
+     - 26.0
+   * - ``python3-pathspec``
+     - 0.12.1
+     - 1.0.4
+   * - ``python3-pbr``
+     - 7.0.1
+     - 7.0.3
+   * - ``python3-pdm``
+     - 2.25.9
+     - 2.26.6
+   * - ``python3-pdm-backend``
+     - 2.4.5
+     - 2.4.7
+   * - ``python3-pdm-build-locked``
+     - 0.3.5
+     - 0.3.7
+   * - ``python3-pip``
+     - 25.2
+     - 26.0.1
+   * - ``python3-poetry-core``
+     - 2.1.3
+     - 2.3.1
+   * - ``python3-psutil``
+     - 7.0.0
+     - 7.2.2
+   * - ``python3-pyasn1``
+     - 0.6.1
+     - 0.6.2
+   * - ``python3-pycairo``
+     - 1.28.0
+     - 1.29.0
+   * - ``python3-pycparser``
+     - 2.22
+     - 3.0
+   * - ``python3-pygobject``
+     - 3.52.3
+     - 3.56.1
+   * - ``python3-pyopenssl``
+     - 25.1.0
+     - 26.0.0
+   * - ``python3-pyparsing``
+     - 3.2.4
+     - 3.3.2
+   * - ``python3-pyproject-metadata``
+     - 0.9.1
+     - 0.11.0
+   * - ``python3-pytest``
+     - 8.4.2
+     - 9.0.2
+   * - ``python3-pytest-subtests``
+     - 0.14.2
+     - 0.15.0
+   * - ``python3-pytz``
+     - 2025.2
+     - 2026.1
+   * - ``python3-pyyaml``
+     - 6.0.2
+     - 6.0.3
+   * - ``python3-rdflib``
+     - 7.1.4
+     - 7.6.0
+   * - ``python3-rpds-py``
+     - 0.27.1
+     - 0.30.0
+   * - ``python3-ruamel-yaml``
+     - 0.18.15
+     - 0.19.1
+   * - ``python3-scons``
+     - 4.9.1
+     - 4.10.1
+   * - ``python3-setuptools``
+     - 80.9.0
+     - 82.0.1
+   * - ``python3-setuptools-scm``
+     - 8.3.1
+     - 9.2.2
+   * - ``python3-sphinx``
+     - 8.2.1
+     - 9.1.0
+   * - ``python3-sphinx-rtd-theme``
+     - 3.0.2
+     - 3.1.0
+   * - ``python3-testtools``
+     - 2.7.2
+     - 2.8.7
+   * - ``python3-trove-classifiers``
+     - 2025.9.11.17
+     - 2026.1.14.14
+   * - ``python3-unittest-automake-output``
+     - 0.3
+     - 0.4
+   * - ``python3-uritools``
+     - 5.0.0
+     - 6.0.1
+   * - ``python3-urllib3``
+     - 2.5.0
+     - 2.6.3
+   * - ``python3-wcwidth``
+     - 0.2.13
+     - 0.6.0
+   * - ``python3-webcolors``
+     - 24.11.1
+     - 25.10.0
+   * - ``python3-websockets``
+     - 15.0.1
+     - 16.0
+   * - ``python3-wheel``
+     - 0.46.1
+     - 0.46.3
+   * - ``python3-xmltodict``
+     - 0.15.1
+     - 1.0.4
+   * - ``python3-yamllint``
+     - 1.37.1
+     - 1.38.0
+   * - ``qemu``
+     - 10.0.6
+     - 10.2.0
+   * - ``qemu-native``
+     - 10.0.6
+     - 10.2.0
+   * - ``qemu-system-native``
+     - 10.0.6
+     - 10.2.0
+   * - ``quota``
+     - 4.10
+     - 4.11
+   * - ``re2c``
+     - 4.3
+     - 4.4
+   * - ``repo``
+     - 2.58
+     - 2.61.1
+   * - ``resolvconf``
+     - 1.93
+     - 1.94
+   * - ``rgb``
+     - 1.1.0
+     - 1.1.1
+   * - ``rpm-sequoia``
+     - 1.9.0
+     - 1.10.1
+   * - ``rpm-sequoia-crypto-policy``
+     - git (ae1df75b1155…)
+     - git (f3f5fa454345…)
+   * - ``rt-tests``
+     - 2.9
+     - 2.10
+   * - ``ruby``
+     - 3.4.5
+     - 4.0.2
+   * - ``rust``
+     - 1.90.0
+     - 1.94.1
+   * - ``rust-cross-canadian``
+     - 1.90.0
+     - 1.94.1
+   * - ``sbc``
+     - 2.1
+     - 2.2
+   * - ``scdoc``
+     - 1.11.3
+     - 1.11.4
+   * - ``seatd``
+     - 0.9.1
+     - 0.9.3
+   * - ``shaderc``
+     - 2025.3
+     - 2026.1
+   * - ``shadow``
+     - 4.18.0
+     - 4.19.4
+   * - ``socat``
+     - 1.8.0.3
+     - 1.8.1.1
+   * - ``spirv-headers``
+     - 1.4.328.1
+     - 1.4.341.0
+   * - ``spirv-llvm-translator``
+     - 21.1.1
+     - 22.1.1
+   * - ``spirv-tools``
+     - 1.4.328.1
+     - 1.4.341.0
+   * - ``sqlite3``
+     - 3.48.0
+     - 3.51.3
+   * - ``squashfs-tools``
+     - 4.7.2
+     - 4.7.5
+   * - ``strace``
+     - 6.16
+     - 6.19
+   * - ``stress-ng``
+     - 0.19.04
+     - 0.20.01
+   * - ``swig``
+     - 4.3.1
+     - 4.4.1
+   * - ``sysstat``
+     - 12.7.8
+     - 12.7.9
+   * - ``systemd``
+     - 257.8
+     - 259.5
+   * - ``systemd-boot``
+     - 257.8
+     - 259.5
+   * - ``systemd-boot-native``
+     - 257.8
+     - 259.5
+   * - ``systemd-systemctl-native``
+     - 257.8
+     - 259.5
+   * - ``systemtap``
+     - 5.3
+     - 5.4
+   * - ``systemtap-native``
+     - 5.3
+     - 5.4
+   * - ``taglib``
+     - 2.1.1
+     - 2.2.1
+   * - ``tcl``
+     - 9.0.2
+     - 9.0.3
+   * - ``texinfo``
+     - 7.2
+     - 7.3
+   * - ``ttyrun``
+     - 2.38.0
+     - 2.41.0
+   * - ``u-boot``
+     - 2025.10
+     - 2026.01
+   * - ``u-boot-tools``
+     - 2025.10
+     - 2026.01
+   * - ``usbutils``
+     - 018
+     - 019
+   * - ``utfcpp``
+     - 4.0.6
+     - 4.0.9
+   * - ``util-linux``
+     - 2.41.1
+     - 2.41.3
+   * - ``util-linux-libuuid``
+     - 2.41.1
+     - 2.41.3
+   * - ``valgrind``
+     - 3.25.1
+     - 3.26.0
+   * - ``vim``
+     - 9.1.1683
+     - 9.2.0340
+   * - ``vim-tiny``
+     - 9.1.1683
+     - 9.2.0340
+   * - ``virglrenderer``
+     - 1.1.1
+     - 1.2.0
+   * - ``vte``
+     - 0.82.1
+     - 0.82.2
+   * - ``vulkan-headers``
+     - 1.4.328.1
+     - 1.4.341.0
+   * - ``vulkan-loader``
+     - 1.4.328.1
+     - 1.4.341.0
+   * - ``vulkan-samples``
+     - git (d27205d14d01…)
+     - git (fa2cf45adde0…)
+   * - ``vulkan-tools``
+     - 1.4.328.1
+     - 1.4.341.0
+   * - ``vulkan-utility-libraries``
+     - 1.4.328.1
+     - 1.4.341.0
+   * - ``vulkan-validation-layers``
+     - 1.4.328.1
+     - 1.4.341.0
+   * - ``vulkan-volk``
+     - 1.4.328.1
+     - 1.4.341.0
+   * - ``wayland-protocols``
+     - 1.45
+     - 1.47
+   * - ``wayland-utils``
+     - 1.2.0
+     - 1.3.0
+   * - ``webkitgtk``
+     - 2.50.4
+     - 2.50.6
+   * - ``weston``
+     - 14.0.2
+     - 15.0.0
+   * - ``wpebackend-fdo``
+     - 1.16.0
+     - 1.16.1
+   * - ``x264``
+     - r3039+git (31e19f92f00c…)
+     - r3039+git (0480cb05fa18…)
+   * - ``xauth``
+     - 1.1.4
+     - 1.1.5
+   * - ``xcb-util-cursor``
+     - 0.1.5
+     - 0.1.6
+   * - ``xeyes``
+     - 1.3.0
+     - 1.3.1
+   * - ``xkbcomp``
+     - 1.4.7
+     - 1.5.0
+   * - ``xkeyboard-config``
+     - 2.45
+     - 2.47
+   * - ``xorgproto``
+     - 2024.1
+     - 2025.1
+   * - ``xserver-xorg``
+     - 21.1.18
+     - 21.1.21
+   * - ``xwayland``
+     - 24.1.8
+     - 24.1.9
+   * - ``xz``
+     - 5.8.1
+     - 5.8.2
+   * - ``zlib``
+     - 1.3.1
+     - 1.3.2
 
 Contributors to |yocto-ver|
 ---------------------------

-- 
2.53.0

[PATCH v2 16/18] migration-guides/migration-6.0.rst: mention python3-roman-numerals-py rename

[Antonin Godard]

Following faff756e829b ("python3-roman-numerals-py: upgrade 3.1.0 ->
4.1.0") in OE-Core.

Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
---
 documentation/migration-guides/migration-6.0.rst | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/documentation/migration-guides/migration-6.0.rst b/documentation/migration-guides/migration-6.0.rst
index ecb124a93..905d52fae 100644
--- a/documentation/migration-guides/migration-6.0.rst
+++ b/documentation/migration-guides/migration-6.0.rst
@@ -489,6 +489,9 @@ The following recipes have been removed in this release:
    ``cve-check`` class removal as it was the only user of these recipes.
    (:oecore_rev:`00de455f8d3aeca880129d23e8cfb7e246404699`)
 
+-  ``python3-roman-numerals-py``: renamed to ``python3-roman-numerals``
+   (:oecore_rev:`faff756e829b852724ad706051d6a771071440cb`)
+
 Removed :term:`PACKAGECONFIG` options
 -------------------------------------
 

-- 
2.53.0

[PATCH v2 17/18] migration-guides/release-notes-6.0.rst: add contributors

[Antonin Godard]

Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
---
 .../migration-guides/release-notes-6.0.rst         | 199 +++++++++++++++++++++
 1 file changed, 199 insertions(+)

diff --git a/documentation/migration-guides/release-notes-6.0.rst b/documentation/migration-guides/release-notes-6.0.rst
index 8f09223d0..f93075d7a 100644
--- a/documentation/migration-guides/release-notes-6.0.rst
+++ b/documentation/migration-guides/release-notes-6.0.rst
@@ -2020,7 +2020,206 @@ The following recipes have been upgraded:
 Contributors to |yocto-ver|
 ---------------------------
 
+..
+   List obtained with the following shell snippet:
+
+      authors=""
+      for repo in openembedded-core yocto-docs bitbake meta-yocto; do
+         authors="${authors}\n$(git --no-pager -C $repo log --format="-  %an" yocto-5.3..origin/master)"
+      done
+      echo $authors | sort | uniq
+
+   Email addresses and duplicates removed.
+
 Thanks to the following people who contributed to this release:
 
+-  Adam Blank
+-  Adam Duskett
+-  Adarsh Jagadish Kamini
+-  Aditya Kurdunkar
+-  Adrian Freihofer
+-  Ahmad Fatoum
+-  Alejandro Hernandez Samaniego
+-  Aleksandar Nikolic
+-  Alexander Kanavin
+-  Alexander Sverdlin
+-  Alex Bradbury
+-  Alex Kiernan
+-  Amaury Couderc
+-  Andrej Kozemcak
+-  Anibal Limon
+-  Ankur Tyagi
+-  Antonin Godard
+-  Ashish Kumar Mishra
+-  Ashish Sharma
+-  BELHADJ SALEM Talel
+-  Benjamin Robin
+-  Bruce Ashfield
+-  Changqing Li
+-  Chen Qi
+-  Clement Faure
+-  Colin Pinnell McAllister
+-  Corentin Guillevic
+-  Daiane Angolini
+-  Daniel Dragomir
+-  Daniel Turull
+-  Dan McGregor
+-  Deepesh Varatharajan
+-  Dmitry Baryshkov
+-  Dragomir, Daniel
+-  El Mehdi YOUNES
+-  Enrico Jörns
+-  Ernst Persson
+-  Etienne Cordonnier
+-  Fabio Berton
+-  Fabio Estevam
+-  Favazza, Samuele
+-  Florian Schmaus
+-  Francesco Valla
+-  Franz Schnyder
+-  Germann, Bastian
+-  Guðni Már Gilbert
+-  Gyorgy Sarvari
+-  Haiqing Bai
+-  Harish Sadineni
+-  Hemanth Kumar M D
+-  Het Patel
+-  Hiago De Franco
+-  Himanshu Jadon
+-  hongxu
+-  Hongxu Jia
+-  Jaeyoon Jung
+-  Jan Luebbe
+-  Jan Vermaete
+-  Jason Schonberg
+-  Javier Tia
+-  Jiaying Song
+-  Jinfeng Wang
+-  João Marcos Costa
+-  Jörg Sommer
+-  Jose Quaresma
+-  Joshua Watt
+-  Kai Kang
+-  Kamel Bouhara
+-  Kavinaya S
+-  Ken Kurematsu
+-  Khai Dang
+-  Khalifa Rouis
+-  Khem Raj
+-  Koen Kooi
+-  Kory Maincent
+-  Kristiyan Chakarov
+-  Krupal Ka Patel
+-  Lee Chee Yang
+-  Leon Anavi
+-  Le Qi
+-  Liu Yiding
+-  Livin Sunny
+-  Liyin Zhang
+-  Logan Gallois
+-  Louis Rannou
+-  Lucas Stach
+-  Luka Krstic
+-  Mahesh Angadi
+-  Mark Hatle
+-  Mark-Pk Tsai
+-  Markus Volk
+-  mark.yang
+-  Martin Jansa
+-  Martin Schwan
+-  Mathieu Dubois-Briand
+-  Matt Madison
+-  Maxin B. John
+-  Maxin John
+-  Max Krummenacher
+-  Miaoqing Pan
+-  Michael Arndt
+-  Michael Halstead
+-  Michael Opdenacker
+-  Michal Sieron
+-  Mikko Rapeli
+-  Ming Liu
+-  Mingli Yu
+-  Miroslav Cernak
+-  Mohammad Rafi Shaik
+-  Mohammad Rahimi
+-  Moritz Haase
+-  Naftaly RALAMBOARIVONY
+-  Naman Jain
+-  Nikhil R
+-  Niko Mauno
+-  Nora Schiffer
+-  Osama Abdelkader
+-  Patrick Vogelaar
+-  Patrick Wicki
+-  Paul Barker
+-  Pavel Löbl
+-  Peter Bergin
+-  Peter de Ridder
+-  Peter Kjellerstedt
+-  Peter Marko
+-  Peter Tatrai
+-  Philip Lorenz
+-  Pierre-Loup GOSSE
+-  Piotr Buliński
+-  Pratik Farkase
+-  Quentin Schulz
+-  Randolph Sapp
+-  Randy MacLeod
+-  Ricardo Salveti
+-  Ricardo Simoes
+-  Ricardo Ungerer
+-  Richard Purdie
+-  Robert Joslyn
+-  Robert P. J. Day
+-  Robert Yang
+-  Rob Woolley
+-  Ross Burton
+-  Rouven Rastetter
+-  Ryan Eatmon
+-  Sam Povilus
+-  Samuli Piippo
+-  Sandeep Gundlupet Raju
+-  Scott Murray
+-  Shaik Moin
+-  Shotaro Uchida
+-  Stefano Babic
+-  Stefano Tondo
+-  Sunil Dora
+-  sven.kalmbach
+-  Swami
+-  Telukula Jeevan Kumar Sahu
+-  Theo GAIGE
+-  Thomas Perrot
+-  Tim Orling
+-  Tom Geelen
+-  Trevor Gamblin
+-  Trevor Woerner
+-  Ulrich Ölmann
+-  Uwe Kleine-König
+-  Veeresh Kadasani
+-  Victor Kamensky
+-  Vijay Anusuri
+-  Viswanath Kraleti
+-  Vivek Puar
+-  Vyacheslav Yurkov
+-  Wang Mingyu
+-  Weisser, Pascal
+-  Xiangyu Chen
+-  Yanis BINARD
+-  Yann Dirson
+-  Yannic Moog
+-  Yash Gupta
+-  Yash Shinde
+-  Yasir Al-Latifi
+-  Yiding Liu
+-  Yi Zhao
+-  Yoann Congal
+-  Yongxin Liu
+-  Zhangfei Gao
+-  Zhang Peng
+-  Zk47T
+-  Zoltán Böszörményi
+
 Repositories / Downloads for Yocto-|yocto-ver|
 ----------------------------------------------

-- 
2.53.0

[PATCH v2 18/18] ref-manual/variables: IMAGE_TYPES: add new wicenv type

[Antonin Godard]

Added by commit e4d49702f21f ("image_types_wic: Introduce wicenv
image type") in OE-Core.

Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
---
 documentation/ref-manual/variables.rst | 1 +
 1 file changed, 1 insertion(+)

diff --git a/documentation/ref-manual/variables.rst b/documentation/ref-manual/variables.rst
index 4341e27fc..a8cbb87cf 100644
--- a/documentation/ref-manual/variables.rst
+++ b/documentation/ref-manual/variables.rst
@@ -4680,6 +4680,7 @@ system and gives an overview of their function and contents.
       - wic.gz
       - wic.lzma
       - wic.zst
+      - wicenv
 
       For more information about these types of images, see
       ``meta/classes-recipe/image_types*.bbclass`` in :term:`OpenEmbedded-Core

-- 
2.53.0