* [PATCH] fetch2: Add BB_TRUSTED_NETWORK support
@ 2015-03-31 18:39 Liam R. Howlett
2015-03-31 18:39 ` Liam R. Howlett
2015-04-15 19:37 ` [PATCH] fetch2: Add BB_TRUSTED_NETWORK support Christopher Larson
0 siblings, 2 replies; 22+ messages in thread
From: Liam R. Howlett @ 2015-03-31 18:39 UTC (permalink / raw)
To: bitbake-devel
This patch adds support for a new local.conf variable called
BB_TRUSTED_NETWORK. BB_TRUSTED_NETWORK holds a list of hostnames that the user
trusts as a source for downloading content. If network access is enabled and
the user has configured trusted hosts, then any hosts that are not in the list
will cause an error to occur at fetch. Any mirrors and pre-mirrors that are
not in the list will result in warnings that these locations will not be used.
The BB_NO_NETWORK variable still stops all network access.
Please see the comments in the patch for more details and example usage.
Liam R. Howlett (1):
fetch2: Add BB_TRUSTED_NETWORK support
lib/bb/fetch2/__init__.py | 57 +++++++++++++++++++++++++++++++++++++++++++++++
lib/bb/tests/fetch.py | 33 +++++++++++++++++++++++++++
2 files changed, 90 insertions(+)
--
2.1.0
^ permalink raw reply [flat|nested] 22+ messages in thread
* [PATCH] fetch2: Add BB_TRUSTED_NETWORK support
2015-03-31 18:39 [PATCH] fetch2: Add BB_TRUSTED_NETWORK support Liam R. Howlett
@ 2015-03-31 18:39 ` Liam R. Howlett
2015-04-15 18:17 ` [PATCH v2] " Liam R. Howlett
2015-04-15 19:37 ` [PATCH] fetch2: Add BB_TRUSTED_NETWORK support Christopher Larson
1 sibling, 1 reply; 22+ messages in thread
From: Liam R. Howlett @ 2015-03-31 18:39 UTC (permalink / raw)
To: bitbake-devel
BB_TRUSTED_NETWORK is a list of hosts that the fetcher will be allowed
to use when BB_NO_NETWORK is not set.
If BB_NO_NETWORK is set, then networking is still disabled.
If BB_TRUSTED_NETWORK is not set, the behaviour remains the same as
today.
If BB_NO_NETWORK is NOT set, and BB_TRUSTED_NETWORK is configured, then
only the hosts in the list are usable by the fetcher.
eg:
BB_TRUSTED_NETWORK="yoctoproject.org git.gnu.org"
The fetcher will be able to download from yoctoproject.org, git.gnu.org,
but not ftp.gnu.org or any other hostname that is not in the list.
There is also limited support for wildcards on the beginning of the
hosts, so BB_TRUSTED_NETWORK="*.gnu.org" with match git.gnu.org and
ftp.gnu.org as well as foo.git.gnu.org
Signed-off-by: Liam R. Howlett <Liam.Howlett@WindRiver.com>
---
lib/bb/fetch2/__init__.py | 57 +++++++++++++++++++++++++++++++++++++++++++++++
lib/bb/tests/fetch.py | 33 +++++++++++++++++++++++++++
2 files changed, 90 insertions(+)
diff --git a/lib/bb/fetch2/__init__.py b/lib/bb/fetch2/__init__.py
index b004dae..09e13e0 100644
--- a/lib/bb/fetch2/__init__.py
+++ b/lib/bb/fetch2/__init__.py
@@ -61,6 +61,17 @@ class BBFetchException(Exception):
def __str__(self):
return self.msg
+class UntrustedUrl(BBFetchException):
+ """Exception raised when encountering a host not listed in BB_TRUSTED_NETWORK"""
+ def __init__(self, url, message=''):
+ if message:
+ msg = message
+ else:
+ msg = "The URL: '%s' is not trusted and cannot be used" % url
+ self.url = url
+ BBFetchException.__init__(self, msg)
+ self.args = (url,)
+
class MalformedUrl(BBFetchException):
"""Exception raised when encountering an invalid url"""
def __init__(self, url, message=''):
@@ -851,6 +862,11 @@ def build_mirroruris(origud, mirrors, ld):
newuri = uri_replace(ud, find, replace, replacements, ld)
if not newuri or newuri in uris or newuri == origud.url:
continue
+
+ if not trusted_network(ld, newuri):
+ logger.warn("Mirror %s not in list of trusted networks, skipping" % (newuri))
+ continue
+
try:
newud = FetchData(newuri, ld)
newud.setup_localpath(ld)
@@ -971,6 +987,44 @@ def try_mirrors(d, origud, mirrors, check = False):
return ret
return None
+def trusted_network(d, url):
+ """
+ Use a trusted url during download if networking is enabled and
+ BB_TRUSTED_NETWORK is set globally or for a specific recipe.
+ Note: modifies SRC_URI & mirrors.
+ """
+ if d.getVar('BB_NO_NETWORK', True) == "1":
+ return True
+
+ pkgname = d.expand(d.getVar('PN'))
+ trusted_hosts = d.getVarFlag('BB_TRUSTED_NETWORK', pkgname)
+
+ if not trusted_hosts:
+ trusted_hosts = d.getVar('BB_TRUSTED_NETWORK', True)
+
+ # Not enabled.
+ if not trusted_hosts:
+ return True
+
+ scheme, network, path, user, passwd, param = decodeurl(url)
+
+ if not network:
+ return True
+
+ network = network.lower()
+
+ for host in trusted_hosts.split(" "):
+ host = host.lower()
+ if (re.match('^\*?\.', host)):
+ host = host[2:]
+ m = network.split('.')
+ network = "%s.%s" % (m[-2], m[-1])
+ if (host == network):
+ return True
+
+
+ return False
+
def srcrev_internal_helper(ud, d, name):
"""
Return:
@@ -1511,6 +1565,9 @@ class Fetch(object):
lf = bb.utils.lockfile(ud.lockfile)
+ if not trusted_network(self.d, ud.url):
+ raise UntrustedUrl(ud.url)
+
try:
self.d.setVar("BB_NO_NETWORK", network)
diff --git a/lib/bb/tests/fetch.py b/lib/bb/tests/fetch.py
index d56ef49..69e689d 100644
--- a/lib/bb/tests/fetch.py
+++ b/lib/bb/tests/fetch.py
@@ -547,6 +547,39 @@ class FetcherNetworkTest(FetcherTest):
os.chdir(os.path.dirname(self.unpackdir))
fetcher.unpack(self.unpackdir)
+ def test_trusted_network(self):
+ # Ensure trusted_network returns False when the host IS in the list.
+ url = "git://Someserver.org/foo;rev=1"
+ self.d.setVar("BB_TRUSTED_NETWORK", "server1.org someserver.org server2.org server3.org")
+ self.assertTrue(bb.fetch.trusted_network(self.d, url))
+
+ def test_wild_trusted_network(self):
+ # Ensure trusted_network returns true when the *.host IS in the list.
+ url = "git://Someserver.org/foo;rev=1"
+ self.d.setVar("BB_TRUSTED_NETWORK", "server1.org *.someserver.org server2.org server3.org")
+ self.assertTrue(bb.fetch.trusted_network(self.d, url))
+
+ def test_prefix_wild_trusted_network(self):
+ # Ensure trusted_network returns true when the prefix matches *.host.
+ url = "git://git.Someserver.org/foo;rev=1"
+ self.d.setVar("BB_TRUSTED_NETWORK", "server1.org *.someserver.org server2.org server3.org")
+ name = bb.fetch.trusted_network(self.d, url)
+ self.assertTrue(bb.fetch.trusted_network(self.d, url))
+ def test_two_prefix_wild_trusted_network(self):
+ # Ensure trusted_network returns true when the prefix matches *.host.
+ url = "git://something.git.Someserver.org/foo;rev=1"
+ self.d.setVar("BB_TRUSTED_NETWORK", "server1.org *.someserver.org server2.org server3.org")
+ name = bb.fetch.trusted_network(self.d, url)
+ self.assertTrue(bb.fetch.trusted_network(self.d, url))
+
+ def test_untrusted_network(self):
+ # Ensure trusted_network returns False when the host is NOT in the list.
+ self.d.delVar("BB_TRUSTED_NETWORK")
+ url = "git://someserver.org/foo;rev=1"
+ self.d.setVar("BB_TRUSTED_NETWORK", "server1.org server2.org server3.org")
+ self.assertFalse(bb.fetch.trusted_network(self.d, url))
+
+
class URLHandle(unittest.TestCase):
datatable = {
--
2.1.0
^ permalink raw reply related [flat|nested] 22+ messages in thread
* [PATCH v2] fetch2: Add BB_TRUSTED_NETWORK support
2015-03-31 18:39 ` Liam R. Howlett
@ 2015-04-15 18:17 ` Liam R. Howlett
2015-04-15 18:17 ` Liam R. Howlett
0 siblings, 1 reply; 22+ messages in thread
From: Liam R. Howlett @ 2015-04-15 18:17 UTC (permalink / raw)
To: bitbake-devel
This patch adds support for a new local.conf variable called
BB_TRUSTED_NETWORK. BB_TRUSTED_NETWORK holds a list of hostnames that the user
trusts as a source for downloading content. If network access is enabled and
the user has configured trusted hosts, then any hosts that are not in the list
will cause an error to occur at fetch. Any mirrors and pre-mirrors that are
not in the list will result in warnings that these locations will not be used.
The BB_NO_NETWORK variable still stops all network access.
Please see the comments in the patch for more details and example usage.
Liam R. Howlett (1):
fetch2: Add BB_TRUSTED_NETWORK support
lib/bb/fetch2/__init__.py | 53 +++++++++++++++++++++++++++++++++++++++++++++++
lib/bb/tests/fetch.py | 37 +++++++++++++++++++++++++++++++++
2 files changed, 90 insertions(+)
--
2.1.1
^ permalink raw reply [flat|nested] 22+ messages in thread
* [PATCH v2] fetch2: Add BB_TRUSTED_NETWORK support
2015-04-15 18:17 ` [PATCH v2] " Liam R. Howlett
@ 2015-04-15 18:17 ` Liam R. Howlett
2015-04-16 17:06 ` [PATCH v3] fetch2: Add BB_ALLOWED_NETWORKS support Liam R. Howlett
2015-04-16 17:23 ` Liam R. Howlett
0 siblings, 2 replies; 22+ messages in thread
From: Liam R. Howlett @ 2015-04-15 18:17 UTC (permalink / raw)
To: bitbake-devel
BB_TRUSTED_NETWORK is a list of hosts that the fetcher will be allowed
to use when BB_NO_NETWORK is not set.
If BB_NO_NETWORK is set, then networking is still disabled.
If BB_TRUSTED_NETWORK is not set, the behaviour remains the same as
today.
If BB_NO_NETWORK is NOT set, and BB_TRUSTED_NETWORK is configured, then
only the hosts in the list are usable by the fetcher.
eg:
BB_TRUSTED_NETWORK="yoctoproject.org git.gnu.org"
The fetcher will be able to download from yoctoproject.org, git.gnu.org,
but not ftp.gnu.org or any other hostname that is not in the list.
There is also limited support for wildcards on the beginning of the
hosts, so BB_TRUSTED_NETWORK="*.gnu.org" with match git.gnu.org and
ftp.gnu.org as well as foo.git.gnu.org
Signed-off-by: Liam R. Howlett <Liam.Howlett@WindRiver.com>
---
lib/bb/fetch2/__init__.py | 53 +++++++++++++++++++++++++++++++++++++++++++++++
lib/bb/tests/fetch.py | 37 +++++++++++++++++++++++++++++++++
2 files changed, 90 insertions(+)
diff --git a/lib/bb/fetch2/__init__.py b/lib/bb/fetch2/__init__.py
index b004dae..f34b74a 100644
--- a/lib/bb/fetch2/__init__.py
+++ b/lib/bb/fetch2/__init__.py
@@ -61,6 +61,17 @@ class BBFetchException(Exception):
def __str__(self):
return self.msg
+class UntrustedUrl(BBFetchException):
+ """Exception raised when encountering a host not listed in BB_TRUSTED_NETWORK"""
+ def __init__(self, url, message=''):
+ if message:
+ msg = message
+ else:
+ msg = "The URL: '%s' is not trusted and cannot be used" % url
+ self.url = url
+ BBFetchException.__init__(self, msg)
+ self.args = (url,)
+
class MalformedUrl(BBFetchException):
"""Exception raised when encountering an invalid url"""
def __init__(self, url, message=''):
@@ -851,6 +862,11 @@ def build_mirroruris(origud, mirrors, ld):
newuri = uri_replace(ud, find, replace, replacements, ld)
if not newuri or newuri in uris or newuri == origud.url:
continue
+
+ if not trusted_network(ld, newuri):
+ logger.debug(1, "Mirror %s not in the list of trusted networks, skipping" % (newuri))
+ continue
+
try:
newud = FetchData(newuri, ld)
newud.setup_localpath(ld)
@@ -971,6 +987,41 @@ def try_mirrors(d, origud, mirrors, check = False):
return ret
return None
+def trusted_network(d, url):
+ """
+ Use a trusted url during download if networking is enabled and
+ BB_TRUSTED_NETWORK is set globally or for a specific recipe.
+ Note: modifies SRC_URI & mirrors.
+ """
+ if d.getVar('BB_NO_NETWORK', True) == "1":
+ return True
+
+ pkgname = d.expand(d.getVar('PN'))
+ trusted_hosts = d.getVarFlag('BB_TRUSTED_NETWORK', pkgname)
+
+ if not trusted_hosts:
+ trusted_hosts = d.getVar('BB_TRUSTED_NETWORK', True)
+
+ # Not enabled.
+ if not trusted_hosts:
+ return True
+
+ scheme, network, path, user, passwd, param = decodeurl(url)
+
+ if not network:
+ return True
+
+ network = network.lower()
+
+ for host in trusted_hosts.split(" "):
+ host = host.lower()
+ if host.startswith("*.") and ("." + network).endswith(host[1:]):
+ return True
+ if host == network:
+ return True
+
+ return False
+
def srcrev_internal_helper(ud, d, name):
"""
Return:
@@ -1529,6 +1580,8 @@ class Fetch(object):
firsterr = None
if not localpath and ((not verify_donestamp(ud, self.d)) or m.need_update(ud, self.d)):
try:
+ if not trusted_network(self.d, ud.url):
+ raise UntrustedUrl(ud.url)
logger.debug(1, "Trying Upstream")
m.download(ud, self.d)
if hasattr(m, "build_mirror_data"):
diff --git a/lib/bb/tests/fetch.py b/lib/bb/tests/fetch.py
index d56ef49..06726f2 100644
--- a/lib/bb/tests/fetch.py
+++ b/lib/bb/tests/fetch.py
@@ -547,6 +547,43 @@ class FetcherNetworkTest(FetcherTest):
os.chdir(os.path.dirname(self.unpackdir))
fetcher.unpack(self.unpackdir)
+ def test_trusted_network(self):
+ # Ensure trusted_network returns False when the host IS in the list.
+ url = "git://Someserver.org/foo;rev=1"
+ self.d.setVar("BB_TRUSTED_NETWORK", "server1.org someserver.org server2.org server3.org")
+ self.assertTrue(bb.fetch.trusted_network(self.d, url))
+
+ def test_wild_trusted_network(self):
+ # Ensure trusted_network returns true when the *.host IS in the list.
+ url = "git://Someserver.org/foo;rev=1"
+ self.d.setVar("BB_TRUSTED_NETWORK", "server1.org *.someserver.org server2.org server3.org")
+ self.assertTrue(bb.fetch.trusted_network(self.d, url))
+
+ def test_prefix_wild_trusted_network(self):
+ # Ensure trusted_network returns true when the prefix matches *.host.
+ url = "git://git.Someserver.org/foo;rev=1"
+ self.d.setVar("BB_TRUSTED_NETWORK", "server1.org *.someserver.org server2.org server3.org")
+ self.assertTrue(bb.fetch.trusted_network(self.d, url))
+
+ def test_two_prefix_wild_trusted_network(self):
+ # Ensure trusted_network returns true when the prefix matches *.host.
+ url = "git://something.git.Someserver.org/foo;rev=1"
+ self.d.setVar("BB_TRUSTED_NETWORK", "server1.org *.someserver.org server2.org server3.org")
+ self.assertTrue(bb.fetch.trusted_network(self.d, url))
+
+ def test_untrusted_network(self):
+ # Ensure trusted_network returns False when the host is NOT in the list.
+ url = "git://someserver.org/foo;rev=1"
+ self.d.setVar("BB_TRUSTED_NETWORK", "server1.org server2.org server3.org")
+ self.assertFalse(bb.fetch.trusted_network(self.d, url))
+
+ def test_wild_untrusted_network(self):
+ # Ensure trusted_network returns False when the host is NOT in the list.
+ url = "git://*.someserver.org/foo;rev=1"
+ self.d.setVar("BB_TRUSTED_NETWORK", "server1.org server2.org server3.org")
+ self.assertFalse(bb.fetch.trusted_network(self.d, url))
+
+
class URLHandle(unittest.TestCase):
datatable = {
--
2.1.1
^ permalink raw reply related [flat|nested] 22+ messages in thread
* Re: [PATCH] fetch2: Add BB_TRUSTED_NETWORK support
2015-03-31 18:39 [PATCH] fetch2: Add BB_TRUSTED_NETWORK support Liam R. Howlett
2015-03-31 18:39 ` Liam R. Howlett
@ 2015-04-15 19:37 ` Christopher Larson
2015-04-15 19:42 ` Bernhard Reutner-Fischer
1 sibling, 1 reply; 22+ messages in thread
From: Christopher Larson @ 2015-04-15 19:37 UTC (permalink / raw)
To: Liam R. Howlett; +Cc: bitbake-devel@lists.openembedded.org
[-- Attachment #1: Type: text/plain, Size: 1085 bytes --]
On Tue, Mar 31, 2015 at 11:39 AM, Liam R. Howlett <
Liam.Howlett@windriver.com> wrote:
> This patch adds support for a new local.conf variable called
> BB_TRUSTED_NETWORK. BB_TRUSTED_NETWORK holds a list of hostnames that the
> user
> trusts as a source for downloading content. If network access is enabled
> and
> the user has configured trusted hosts, then any hosts that are not in the
> list
> will cause an error to occur at fetch. Any mirrors and pre-mirrors that
> are
> not in the list will result in warnings that these locations will not be
> used.
>
> The BB_NO_NETWORK variable still stops all network access.
>
> Please see the comments in the patch for more details and example usage.
>
Hmm, looks like this might be useful with an internal mirror coupled with
PREMIRRORS, so fetches from the internal host are allowed, but anything
missing from there would be immediately caught?
--
Christopher Larson
clarson at kergoth dot com
Founder - BitBake, OpenEmbedded, OpenZaurus
Maintainer - Tslib
Senior Software Engineer, Mentor Graphics
[-- Attachment #2: Type: text/html, Size: 1509 bytes --]
^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: [PATCH] fetch2: Add BB_TRUSTED_NETWORK support
2015-04-15 19:37 ` [PATCH] fetch2: Add BB_TRUSTED_NETWORK support Christopher Larson
@ 2015-04-15 19:42 ` Bernhard Reutner-Fischer
2015-04-16 14:16 ` Liam R. Howlett
0 siblings, 1 reply; 22+ messages in thread
From: Bernhard Reutner-Fischer @ 2015-04-15 19:42 UTC (permalink / raw)
To: Christopher Larson, Liam R. Howlett; +Cc: bitbake-devel@lists.openembedded.org
On April 15, 2015 9:37:38 PM GMT+02:00, Christopher Larson <clarson@kergoth.com> wrote:
>On Tue, Mar 31, 2015 at 11:39 AM, Liam R. Howlett <
>Liam.Howlett@windriver.com> wrote:
>
>> This patch adds support for a new local.conf variable called
>> BB_TRUSTED_NETWORK. BB_TRUSTED_NETWORK holds a list of hostnames
>that the
>> user
>> trusts as a source for downloading content. If network access is
>enabled
>> and
>> the user has configured trusted hosts, then any hosts that are not in
>the
>> list
>> will cause an error to occur at fetch. Any mirrors and pre-mirrors
>that
>> are
>> not in the list will result in warnings that these locations will not
>be
>> used.
>>
>> The BB_NO_NETWORK variable still stops all network access.
>>
>> Please see the comments in the patch for more details and example
>usage.
>>
>
>Hmm, looks like this might be useful with an internal mirror coupled
>with
>PREMIRRORS, so fetches from the internal host are allowed, but anything
>missing from there would be immediately caught?
That was my thought, too.
I would find BB_ALLOWED_NETWORKS more intuitive though.
Cheers,
^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: [PATCH] fetch2: Add BB_TRUSTED_NETWORK support
2015-04-15 19:42 ` Bernhard Reutner-Fischer
@ 2015-04-16 14:16 ` Liam R. Howlett
0 siblings, 0 replies; 22+ messages in thread
From: Liam R. Howlett @ 2015-04-16 14:16 UTC (permalink / raw)
To: Bernhard Reutner-Fischer
Cc: Christopher Larson, bitbake-devel@lists.openembedded.org
* Bernhard Reutner-Fischer <rep.dot.nop@gmail.com> [150415 15:43]:
> On April 15, 2015 9:37:38 PM GMT+02:00, Christopher Larson <clarson@kergoth.com> wrote:
> >On Tue, Mar 31, 2015 at 11:39 AM, Liam R. Howlett <
> >Liam.Howlett@windriver.com> wrote:
> >
> >> This patch adds support for a new local.conf variable called
> >> BB_TRUSTED_NETWORK. BB_TRUSTED_NETWORK holds a list of hostnames
> >that the
> >> user
> >> trusts as a source for downloading content. If network access is
> >enabled
> >> and
> >> the user has configured trusted hosts, then any hosts that are not in
> >the
> >> list
> >> will cause an error to occur at fetch. Any mirrors and pre-mirrors
> >that
> >> are
> >> not in the list will result in warnings that these locations will not
> >be
> >> used.
> >>
> >> The BB_NO_NETWORK variable still stops all network access.
> >>
> >> Please see the comments in the patch for more details and example
> >usage.
> >>
> >
> >Hmm, looks like this might be useful with an internal mirror coupled
> >with
> >PREMIRRORS, so fetches from the internal host are allowed, but anything
> >missing from there would be immediately caught?
>
Yes, limiting to a local mirror is the main driving force behind this
patch. It will also catch any packages getting pulled in from undesired
locations through dependencies, etc.
> That was my thought, too.
> I would find BB_ALLOWED_NETWORKS more intuitive though.
>
> Cheers,
>
>
I had BB_LIMITED_NETWORKS before, but I think BB_ALLOWED_NETWORKS is
better than both of my suggestions.
Please note that I did send v2 of this patch with minor cleanup & a fix
yesterday, 2015-04-15.
Thanks,
Liam
^ permalink raw reply [flat|nested] 22+ messages in thread
* [PATCH v3] fetch2: Add BB_ALLOWED_NETWORKS support
2015-04-15 18:17 ` Liam R. Howlett
@ 2015-04-16 17:06 ` Liam R. Howlett
2015-04-16 17:23 ` Liam R. Howlett
1 sibling, 0 replies; 22+ messages in thread
From: Liam R. Howlett @ 2015-04-16 17:06 UTC (permalink / raw)
To: bitbake-devel
This patch adds support for a new local.conf variable called
BB_ALLOWED_NETWORKS. BB_ALLOWED_NETWORKS holds a list of hostnames that the
user trusts as a source for downloading content. If network access is enabled
and the user has configured trusted hosts, then any hosts that are not in the
list will cause an error to occur at fetch. Any mirrors and pre-mirrors that
are not in the list will result in warnings that these locations will not be
used.
The BB_NO_NETWORK variable still stops all network access.
Please see the comments in the patch for more details and example usage.
Liam R. Howlett (1):
fetch2: Add BB_ALLOWED_NETWORKS support
lib/bb/fetch2/__init__.py | 53 +++++++++++++++++++++++++++++++++++++++++++++++
lib/bb/tests/fetch.py | 37 +++++++++++++++++++++++++++++++++
2 files changed, 90 insertions(+)
--
2.1.1
^ permalink raw reply [flat|nested] 22+ messages in thread
* [PATCH v3] fetch2: Add BB_ALLOWED_NETWORKS support
2015-04-15 18:17 ` Liam R. Howlett
2015-04-16 17:06 ` [PATCH v3] fetch2: Add BB_ALLOWED_NETWORKS support Liam R. Howlett
@ 2015-04-16 17:23 ` Liam R. Howlett
2015-05-12 11:17 ` Richard Purdie
1 sibling, 1 reply; 22+ messages in thread
From: Liam R. Howlett @ 2015-04-16 17:23 UTC (permalink / raw)
To: bitbake-devel
BB_ALLOWED_NETWORKS is a list of hosts that the fetcher will be allowed
to use when BB_NO_NETWORK is not set.
If BB_NO_NETWORK is set, then networking is still disabled.
If BB_ALLOWED_NETWORKS is not set, the behaviour remains the same as
today.
If BB_NO_NETWORK is NOT set, and BB_ALLOWED_NETWORKS is configured, then
only the hosts in the list are usable by the fetcher.
eg:
BB_ALLOWED_NETWORKS="yoctoproject.org git.gnu.org"
The fetcher will be able to download from yoctoproject.org, git.gnu.org,
but not ftp.gnu.org or any other hostname that is not in the list.
There is also limited support for wildcards on the beginning of the
hosts, so BB_ALLOWED_NETWORKS="*.gnu.org" with match git.gnu.org and
ftp.gnu.org as well as foo.git.gnu.org
Signed-off-by: Liam R. Howlett <Liam.Howlett@WindRiver.com>
---
lib/bb/fetch2/__init__.py | 53 +++++++++++++++++++++++++++++++++++++++++++++++
lib/bb/tests/fetch.py | 37 +++++++++++++++++++++++++++++++++
2 files changed, 90 insertions(+)
diff --git a/lib/bb/fetch2/__init__.py b/lib/bb/fetch2/__init__.py
index b004dae..8eebd63 100644
--- a/lib/bb/fetch2/__init__.py
+++ b/lib/bb/fetch2/__init__.py
@@ -61,6 +61,17 @@ class BBFetchException(Exception):
def __str__(self):
return self.msg
+class UntrustedUrl(BBFetchException):
+ """Exception raised when encountering a host not listed in BB_ALLOWED_NETWORKS"""
+ def __init__(self, url, message=''):
+ if message:
+ msg = message
+ else:
+ msg = "The URL: '%s' is not trusted and cannot be used" % url
+ self.url = url
+ BBFetchException.__init__(self, msg)
+ self.args = (url,)
+
class MalformedUrl(BBFetchException):
"""Exception raised when encountering an invalid url"""
def __init__(self, url, message=''):
@@ -851,6 +862,11 @@ def build_mirroruris(origud, mirrors, ld):
newuri = uri_replace(ud, find, replace, replacements, ld)
if not newuri or newuri in uris or newuri == origud.url:
continue
+
+ if not trusted_network(ld, newuri):
+ logger.debug(1, "Mirror %s not in the list of trusted networks, skipping" % (newuri))
+ continue
+
try:
newud = FetchData(newuri, ld)
newud.setup_localpath(ld)
@@ -971,6 +987,41 @@ def try_mirrors(d, origud, mirrors, check = False):
return ret
return None
+def trusted_network(d, url):
+ """
+ Use a trusted url during download if networking is enabled and
+ BB_ALLOWED_NETWORKS is set globally or for a specific recipe.
+ Note: modifies SRC_URI & mirrors.
+ """
+ if d.getVar('BB_NO_NETWORK', True) == "1":
+ return True
+
+ pkgname = d.expand(d.getVar('PN'))
+ trusted_hosts = d.getVarFlag('BB_ALLOWED_NETWORKS', pkgname)
+
+ if not trusted_hosts:
+ trusted_hosts = d.getVar('BB_ALLOWED_NETWORKS', True)
+
+ # Not enabled.
+ if not trusted_hosts:
+ return True
+
+ scheme, network, path, user, passwd, param = decodeurl(url)
+
+ if not network:
+ return True
+
+ network = network.lower()
+
+ for host in trusted_hosts.split(" "):
+ host = host.lower()
+ if host.startswith("*.") and ("." + network).endswith(host[1:]):
+ return True
+ if host == network:
+ return True
+
+ return False
+
def srcrev_internal_helper(ud, d, name):
"""
Return:
@@ -1529,6 +1580,8 @@ class Fetch(object):
firsterr = None
if not localpath and ((not verify_donestamp(ud, self.d)) or m.need_update(ud, self.d)):
try:
+ if not trusted_network(self.d, ud.url):
+ raise UntrustedUrl(ud.url)
logger.debug(1, "Trying Upstream")
m.download(ud, self.d)
if hasattr(m, "build_mirror_data"):
diff --git a/lib/bb/tests/fetch.py b/lib/bb/tests/fetch.py
index d56ef49..d3f7b6a 100644
--- a/lib/bb/tests/fetch.py
+++ b/lib/bb/tests/fetch.py
@@ -547,6 +547,43 @@ class FetcherNetworkTest(FetcherTest):
os.chdir(os.path.dirname(self.unpackdir))
fetcher.unpack(self.unpackdir)
+ def test_trusted_network(self):
+ # Ensure trusted_network returns False when the host IS in the list.
+ url = "git://Someserver.org/foo;rev=1"
+ self.d.setVar("BB_ALLOWED_NETWORKS", "server1.org someserver.org server2.org server3.org")
+ self.assertTrue(bb.fetch.trusted_network(self.d, url))
+
+ def test_wild_trusted_network(self):
+ # Ensure trusted_network returns true when the *.host IS in the list.
+ url = "git://Someserver.org/foo;rev=1"
+ self.d.setVar("BB_ALLOWED_NETWORKS", "server1.org *.someserver.org server2.org server3.org")
+ self.assertTrue(bb.fetch.trusted_network(self.d, url))
+
+ def test_prefix_wild_trusted_network(self):
+ # Ensure trusted_network returns true when the prefix matches *.host.
+ url = "git://git.Someserver.org/foo;rev=1"
+ self.d.setVar("BB_ALLOWED_NETWORKS", "server1.org *.someserver.org server2.org server3.org")
+ self.assertTrue(bb.fetch.trusted_network(self.d, url))
+
+ def test_two_prefix_wild_trusted_network(self):
+ # Ensure trusted_network returns true when the prefix matches *.host.
+ url = "git://something.git.Someserver.org/foo;rev=1"
+ self.d.setVar("BB_ALLOWED_NETWORKS", "server1.org *.someserver.org server2.org server3.org")
+ self.assertTrue(bb.fetch.trusted_network(self.d, url))
+
+ def test_untrusted_network(self):
+ # Ensure trusted_network returns False when the host is NOT in the list.
+ url = "git://someserver.org/foo;rev=1"
+ self.d.setVar("BB_ALLOWED_NETWORKS", "server1.org server2.org server3.org")
+ self.assertFalse(bb.fetch.trusted_network(self.d, url))
+
+ def test_wild_untrusted_network(self):
+ # Ensure trusted_network returns False when the host is NOT in the list.
+ url = "git://*.someserver.org/foo;rev=1"
+ self.d.setVar("BB_ALLOWED_NETWORKS", "server1.org server2.org server3.org")
+ self.assertFalse(bb.fetch.trusted_network(self.d, url))
+
+
class URLHandle(unittest.TestCase):
datatable = {
--
2.1.1
^ permalink raw reply related [flat|nested] 22+ messages in thread
* Re: [PATCH v3] fetch2: Add BB_ALLOWED_NETWORKS support
2015-04-16 17:23 ` Liam R. Howlett
@ 2015-05-12 11:17 ` Richard Purdie
2015-05-12 14:28 ` Liam R. Howlett
0 siblings, 1 reply; 22+ messages in thread
From: Richard Purdie @ 2015-05-12 11:17 UTC (permalink / raw)
To: Liam R. Howlett, Rifenbark, Scott M; +Cc: bitbake-devel
On Thu, 2015-04-16 at 13:23 -0400, Liam R. Howlett wrote:
> BB_ALLOWED_NETWORKS is a list of hosts that the fetcher will be allowed
> to use when BB_NO_NETWORK is not set.
>
> If BB_NO_NETWORK is set, then networking is still disabled.
>
> If BB_ALLOWED_NETWORKS is not set, the behaviour remains the same as
> today.
>
> If BB_NO_NETWORK is NOT set, and BB_ALLOWED_NETWORKS is configured, then
> only the hosts in the list are usable by the fetcher.
>
> eg:
> BB_ALLOWED_NETWORKS="yoctoproject.org git.gnu.org"
> The fetcher will be able to download from yoctoproject.org, git.gnu.org,
> but not ftp.gnu.org or any other hostname that is not in the list.
>
> There is also limited support for wildcards on the beginning of the
> hosts, so BB_ALLOWED_NETWORKS="*.gnu.org" with match git.gnu.org and
> ftp.gnu.org as well as foo.git.gnu.org
>
> Signed-off-by: Liam R. Howlett <Liam.Howlett@WindRiver.com>
> ---
> lib/bb/fetch2/__init__.py | 53 +++++++++++++++++++++++++++++++++++++++++++++++
> lib/bb/tests/fetch.py | 37 +++++++++++++++++++++++++++++++++
> 2 files changed, 90 insertions(+)
I've merged this, however, one of the things we're trying to do is
improve the documentation of bitbake. Would you be able to work with
Scott (cc'd) to ensure this is documented in the manual please?
Cheers,
Richard
^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: [PATCH v3] fetch2: Add BB_ALLOWED_NETWORKS support
2015-05-12 11:17 ` Richard Purdie
@ 2015-05-12 14:28 ` Liam R. Howlett
2015-06-15 13:28 ` Paul Eggleton
0 siblings, 1 reply; 22+ messages in thread
From: Liam R. Howlett @ 2015-05-12 14:28 UTC (permalink / raw)
To: Richard Purdie; +Cc: bitbake-devel
* Richard Purdie <richard.purdie@linuxfoundation.org> [150512 07:18]:
> On Thu, 2015-04-16 at 13:23 -0400, Liam R. Howlett wrote:
> > BB_ALLOWED_NETWORKS is a list of hosts that the fetcher will be allowed
> > to use when BB_NO_NETWORK is not set.
> >
> > If BB_NO_NETWORK is set, then networking is still disabled.
> >
> > If BB_ALLOWED_NETWORKS is not set, the behaviour remains the same as
> > today.
> >
> > If BB_NO_NETWORK is NOT set, and BB_ALLOWED_NETWORKS is configured, then
> > only the hosts in the list are usable by the fetcher.
> >
> > eg:
> > BB_ALLOWED_NETWORKS="yoctoproject.org git.gnu.org"
> > The fetcher will be able to download from yoctoproject.org, git.gnu.org,
> > but not ftp.gnu.org or any other hostname that is not in the list.
> >
> > There is also limited support for wildcards on the beginning of the
> > hosts, so BB_ALLOWED_NETWORKS="*.gnu.org" with match git.gnu.org and
> > ftp.gnu.org as well as foo.git.gnu.org
> >
> > Signed-off-by: Liam R. Howlett <Liam.Howlett@WindRiver.com>
> > ---
> > lib/bb/fetch2/__init__.py | 53 +++++++++++++++++++++++++++++++++++++++++++++++
> > lib/bb/tests/fetch.py | 37 +++++++++++++++++++++++++++++++++
> > 2 files changed, 90 insertions(+)
>
> I've merged this, however, one of the things we're trying to do is
> improve the documentation of bitbake. Would you be able to work with
> Scott (cc'd) to ensure this is documented in the manual please?
>
> Cheers,
>
> Richard
>
Absolutely, Thanks Richard.
Hello Scott,
If you don't have anything started, we can work from the text below if
you'd like.
--------
BB_ALLOWED_NETWORKS
Specifies a space delimited list of hosts which are allowed to be used
by the fetcher to obtain the required source code. This list is only
used if BB_NO_NETWORK is not set. Wildcard matching at the beginning of
hosts is supported. Mirrors that are not in the list will be skipped
and logged in debug. Attempts to access networks that are not in the
BB_ALLOWED_NETWORKS will cause a failure.
--------
Thanks,
Liam
^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: [PATCH v3] fetch2: Add BB_ALLOWED_NETWORKS support
2015-05-12 14:28 ` Liam R. Howlett
@ 2015-06-15 13:28 ` Paul Eggleton
2015-06-15 13:30 ` Rifenbark, Scott M
2015-06-15 13:38 ` Gary Thomas
0 siblings, 2 replies; 22+ messages in thread
From: Paul Eggleton @ 2015-06-15 13:28 UTC (permalink / raw)
To: Liam R. Howlett; +Cc: bitbake-devel
On Tuesday 12 May 2015 10:28:08 Liam R. Howlett wrote:
> * Richard Purdie <richard.purdie@linuxfoundation.org> [150512 07:18]:
> > On Thu, 2015-04-16 at 13:23 -0400, Liam R. Howlett wrote:
> > > BB_ALLOWED_NETWORKS is a list of hosts that the fetcher will be allowed
> > > to use when BB_NO_NETWORK is not set.
> > >
> > > If BB_NO_NETWORK is set, then networking is still disabled.
> > >
> > > If BB_ALLOWED_NETWORKS is not set, the behaviour remains the same as
> > > today.
> > >
> > > If BB_NO_NETWORK is NOT set, and BB_ALLOWED_NETWORKS is configured, then
> > > only the hosts in the list are usable by the fetcher.
> > >
> > > eg:
> > > BB_ALLOWED_NETWORKS="yoctoproject.org git.gnu.org"
> > > The fetcher will be able to download from yoctoproject.org, git.gnu.org,
> > > but not ftp.gnu.org or any other hostname that is not in the list.
> > >
> > > There is also limited support for wildcards on the beginning of the
> > > hosts, so BB_ALLOWED_NETWORKS="*.gnu.org" with match git.gnu.org and
> > > ftp.gnu.org as well as foo.git.gnu.org
> > >
> > > Signed-off-by: Liam R. Howlett <Liam.Howlett@WindRiver.com>
> > > ---
> > >
> > > lib/bb/fetch2/__init__.py | 53
> > > +++++++++++++++++++++++++++++++++++++++++++++++ lib/bb/tests/fetch.py
> > > | 37 +++++++++++++++++++++++++++++++++
> > > 2 files changed, 90 insertions(+)
> >
> > I've merged this, however, one of the things we're trying to do is
> > improve the documentation of bitbake. Would you be able to work with
> > Scott (cc'd) to ensure this is documented in the manual please?
> >
> > Cheers,
> >
> > Richard
>
> Absolutely, Thanks Richard.
>
> Hello Scott,
>
> If you don't have anything started, we can work from the text below if
> you'd like.
>
> --------
>
> BB_ALLOWED_NETWORKS
>
> Specifies a space delimited list of hosts which are allowed to be used
> by the fetcher to obtain the required source code. This list is only
> used if BB_NO_NETWORK is not set. Wildcard matching at the beginning of
> hosts is supported. Mirrors that are not in the list will be skipped
> and logged in debug. Attempts to access networks that are not in the
> BB_ALLOWED_NETWORKS will cause a failure.
>
> --------
>
> Thanks,
> Liam
Replying to add Scott on CC - I think he has something for review.
Cheers,
Paul
--
Paul Eggleton
Intel Open Source Technology Centre
^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: [PATCH v3] fetch2: Add BB_ALLOWED_NETWORKS support
2015-06-15 13:28 ` Paul Eggleton
@ 2015-06-15 13:30 ` Rifenbark, Scott M
2015-06-15 13:38 ` Gary Thomas
1 sibling, 0 replies; 22+ messages in thread
From: Rifenbark, Scott M @ 2015-06-15 13:30 UTC (permalink / raw)
To: Paul Eggleton, Howlett, Liam (Wind River)
Cc: bitbake-devel@lists.openembedded.org
Liam,
I will take your raw information and create a new variable description in both the BitBake manual and the YP reference manual. I will send out a review link to you when it is ready.
Thanks,
Scott
>-----Original Message-----
>From: Paul Eggleton [mailto:paul.eggleton@linux.intel.com]
>Sent: Monday, June 15, 2015 6:28 AM
>To: Howlett, Liam (Wind River)
>Cc: Richard Purdie; Rifenbark, Scott M; bitbake-
>devel@lists.openembedded.org
>Subject: Re: [bitbake-devel] [PATCH v3] fetch2: Add
>BB_ALLOWED_NETWORKS support
>
>On Tuesday 12 May 2015 10:28:08 Liam R. Howlett wrote:
>> * Richard Purdie <richard.purdie@linuxfoundation.org> [150512 07:18]:
>> > On Thu, 2015-04-16 at 13:23 -0400, Liam R. Howlett wrote:
>> > > BB_ALLOWED_NETWORKS is a list of hosts that the fetcher will be
>> > > allowed to use when BB_NO_NETWORK is not set.
>> > >
>> > > If BB_NO_NETWORK is set, then networking is still disabled.
>> > >
>> > > If BB_ALLOWED_NETWORKS is not set, the behaviour remains the same
>> > > as today.
>> > >
>> > > If BB_NO_NETWORK is NOT set, and BB_ALLOWED_NETWORKS is
>> > > configured, then only the hosts in the list are usable by the fetcher.
>> > >
>> > > eg:
>> > > BB_ALLOWED_NETWORKS="yoctoproject.org git.gnu.org"
>> > > The fetcher will be able to download from yoctoproject.org,
>> > > git.gnu.org, but not ftp.gnu.org or any other hostname that is not in the
>list.
>> > >
>> > > There is also limited support for wildcards on the beginning of
>> > > the hosts, so BB_ALLOWED_NETWORKS="*.gnu.org" with match
>> > > git.gnu.org and ftp.gnu.org as well as foo.git.gnu.org
>> > >
>> > > Signed-off-by: Liam R. Howlett <Liam.Howlett@WindRiver.com>
>> > > ---
>> > >
>> > > lib/bb/fetch2/__init__.py | 53
>> > > +++++++++++++++++++++++++++++++++++++++++++++++
>lib/bb/tests/fetch.py
>> > > | 37 +++++++++++++++++++++++++++++++++
>> > > 2 files changed, 90 insertions(+)
>> >
>> > I've merged this, however, one of the things we're trying to do is
>> > improve the documentation of bitbake. Would you be able to work with
>> > Scott (cc'd) to ensure this is documented in the manual please?
>> >
>> > Cheers,
>> >
>> > Richard
>>
>> Absolutely, Thanks Richard.
>>
>> Hello Scott,
>>
>> If you don't have anything started, we can work from the text below if
>> you'd like.
>>
>> --------
>>
>> BB_ALLOWED_NETWORKS
>>
>> Specifies a space delimited list of hosts which are allowed to be used
>> by the fetcher to obtain the required source code. This list is only
>> used if BB_NO_NETWORK is not set. Wildcard matching at the beginning
>> of hosts is supported. Mirrors that are not in the list will be
>> skipped and logged in debug. Attempts to access networks that are not
>> in the BB_ALLOWED_NETWORKS will cause a failure.
>>
>> --------
>>
>> Thanks,
>> Liam
>
>Replying to add Scott on CC - I think he has something for review.
>
>Cheers,
>Paul
>
>--
>
>Paul Eggleton
>Intel Open Source Technology Centre
^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: [PATCH v3] fetch2: Add BB_ALLOWED_NETWORKS support
2015-06-15 13:28 ` Paul Eggleton
2015-06-15 13:30 ` Rifenbark, Scott M
@ 2015-06-15 13:38 ` Gary Thomas
2015-06-15 14:03 ` Rifenbark, Scott M
1 sibling, 1 reply; 22+ messages in thread
From: Gary Thomas @ 2015-06-15 13:38 UTC (permalink / raw)
To: bitbake-devel
On 2015-06-15 07:28, Paul Eggleton wrote:
> On Tuesday 12 May 2015 10:28:08 Liam R. Howlett wrote:
>> * Richard Purdie <richard.purdie@linuxfoundation.org> [150512 07:18]:
>>> On Thu, 2015-04-16 at 13:23 -0400, Liam R. Howlett wrote:
>>>> BB_ALLOWED_NETWORKS is a list of hosts that the fetcher will be allowed
>>>> to use when BB_NO_NETWORK is not set.
>>>>
>>>> If BB_NO_NETWORK is set, then networking is still disabled.
>>>>
>>>> If BB_ALLOWED_NETWORKS is not set, the behaviour remains the same as
>>>> today.
>>>>
>>>> If BB_NO_NETWORK is NOT set, and BB_ALLOWED_NETWORKS is configured, then
>>>> only the hosts in the list are usable by the fetcher.
>>>>
>>>> eg:
>>>> BB_ALLOWED_NETWORKS="yoctoproject.org git.gnu.org"
>>>> The fetcher will be able to download from yoctoproject.org, git.gnu.org,
>>>> but not ftp.gnu.org or any other hostname that is not in the list.
>>>>
>>>> There is also limited support for wildcards on the beginning of the
>>>> hosts, so BB_ALLOWED_NETWORKS="*.gnu.org" with match git.gnu.org and
>>>> ftp.gnu.org as well as foo.git.gnu.org
>>>>
>>>> Signed-off-by: Liam R. Howlett <Liam.Howlett@WindRiver.com>
>>>> ---
>>>>
>>>> lib/bb/fetch2/__init__.py | 53
>>>> +++++++++++++++++++++++++++++++++++++++++++++++ lib/bb/tests/fetch.py
>>>> | 37 +++++++++++++++++++++++++++++++++
>>>> 2 files changed, 90 insertions(+)
>>>
>>> I've merged this, however, one of the things we're trying to do is
>>> improve the documentation of bitbake. Would you be able to work with
>>> Scott (cc'd) to ensure this is documented in the manual please?
>>>
>>> Cheers,
>>>
>>> Richard
>>
>> Absolutely, Thanks Richard.
>>
>> Hello Scott,
>>
>> If you don't have anything started, we can work from the text below if
>> you'd like.
>>
>> --------
>>
>> BB_ALLOWED_NETWORKS
>>
>> Specifies a space delimited list of hosts which are allowed to be used
>> by the fetcher to obtain the required source code. This list is only
>> used if BB_NO_NETWORK is not set. Wildcard matching at the beginning of
Hopefully BB_NO_NETWORK='0' (which is different from 'not set')as well?
That works for all other uses of BB_NO_NETWORK.
>> hosts is supported. Mirrors that are not in the list will be skipped
>> and logged in debug. Attempts to access networks that are not in the
>> BB_ALLOWED_NETWORKS will cause a failure.
>>
>> --------
>>
>> Thanks,
>> Liam
>
> Replying to add Scott on CC - I think he has something for review.
>
> Cheers,
> Paul
>
--
------------------------------------------------------------
Gary Thomas | Consulting for the
MLB Associates | Embedded world
------------------------------------------------------------
^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: [PATCH v3] fetch2: Add BB_ALLOWED_NETWORKS support
2015-06-15 13:38 ` Gary Thomas
@ 2015-06-15 14:03 ` Rifenbark, Scott M
2015-06-15 21:47 ` Bernhard Reutner-Fischer
0 siblings, 1 reply; 22+ messages in thread
From: Rifenbark, Scott M @ 2015-06-15 14:03 UTC (permalink / raw)
To: Gary Thomas, bitbake-devel@lists.openembedded.org
Cc: Howlett, Liam (Wind River), Paul Eggleton
Hi,
Here is a first draft of documenting the BB_ALLOWED_NETWORKS variable in the BitBake User Manual. I re-wrote the original text to be active voice and applied some different organization of the facts to help the flow out. Regarding Gary's input about BB_NO_NETWORK..... I took a half guess at incorporating it. Please look this new description over and let me know of any corrections I need to make. http://www.yoctoproject.org/docs/1.9/bitbake-user-manual/bitbake-user-manual.html#var-BB_ALLOWED_NETWORKS.
Thanks,
Scott
>-----Original Message-----
>From: bitbake-devel-bounces@lists.openembedded.org [mailto:bitbake-
>devel-bounces@lists.openembedded.org] On Behalf Of Gary Thomas
>Sent: Monday, June 15, 2015 6:39 AM
>To: bitbake-devel@lists.openembedded.org
>Subject: Re: [bitbake-devel] [PATCH v3] fetch2: Add
>BB_ALLOWED_NETWORKS support
>
>On 2015-06-15 07:28, Paul Eggleton wrote:
>> On Tuesday 12 May 2015 10:28:08 Liam R. Howlett wrote:
>>> * Richard Purdie <richard.purdie@linuxfoundation.org> [150512 07:18]:
>>>> On Thu, 2015-04-16 at 13:23 -0400, Liam R. Howlett wrote:
>>>>> BB_ALLOWED_NETWORKS is a list of hosts that the fetcher will be
>>>>> allowed to use when BB_NO_NETWORK is not set.
>>>>>
>>>>> If BB_NO_NETWORK is set, then networking is still disabled.
>>>>>
>>>>> If BB_ALLOWED_NETWORKS is not set, the behaviour remains the same
>>>>> as today.
>>>>>
>>>>> If BB_NO_NETWORK is NOT set, and BB_ALLOWED_NETWORKS is
>configured,
>>>>> then only the hosts in the list are usable by the fetcher.
>>>>>
>>>>> eg:
>>>>> BB_ALLOWED_NETWORKS="yoctoproject.org git.gnu.org"
>>>>> The fetcher will be able to download from yoctoproject.org,
>>>>> git.gnu.org, but not ftp.gnu.org or any other hostname that is not in the
>list.
>>>>>
>>>>> There is also limited support for wildcards on the beginning of the
>>>>> hosts, so BB_ALLOWED_NETWORKS="*.gnu.org" with match git.gnu.org
>>>>> and ftp.gnu.org as well as foo.git.gnu.org
>>>>>
>>>>> Signed-off-by: Liam R. Howlett <Liam.Howlett@WindRiver.com>
>>>>> ---
>>>>>
>>>>> lib/bb/fetch2/__init__.py | 53
>>>>> +++++++++++++++++++++++++++++++++++++++++++++++
>lib/bb/tests/fetch.py
>>>>> | 37 +++++++++++++++++++++++++++++++++
>>>>> 2 files changed, 90 insertions(+)
>>>>
>>>> I've merged this, however, one of the things we're trying to do is
>>>> improve the documentation of bitbake. Would you be able to work with
>>>> Scott (cc'd) to ensure this is documented in the manual please?
>>>>
>>>> Cheers,
>>>>
>>>> Richard
>>>
>>> Absolutely, Thanks Richard.
>>>
>>> Hello Scott,
>>>
>>> If you don't have anything started, we can work from the text below
>>> if you'd like.
>>>
>>> --------
>>>
>>> BB_ALLOWED_NETWORKS
>>>
>>> Specifies a space delimited list of hosts which are allowed to be
>>> used by the fetcher to obtain the required source code. This list is
>>> only used if BB_NO_NETWORK is not set. Wildcard matching at the
>>> beginning of
>
>Hopefully BB_NO_NETWORK='0' (which is different from 'not set')as well?
>That works for all other uses of BB_NO_NETWORK.
>
>>> hosts is supported. Mirrors that are not in the list will be skipped
>>> and logged in debug. Attempts to access networks that are not in the
>>> BB_ALLOWED_NETWORKS will cause a failure.
>>>
>>> --------
>>>
>>> Thanks,
>>> Liam
>>
>> Replying to add Scott on CC - I think he has something for review.
>>
>> Cheers,
>> Paul
>>
>
>--
>------------------------------------------------------------
>Gary Thomas | Consulting for the
>MLB Associates | Embedded world
>------------------------------------------------------------
>--
>_______________________________________________
>bitbake-devel mailing list
>bitbake-devel@lists.openembedded.org
>http://lists.openembedded.org/mailman/listinfo/bitbake-devel
^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: [PATCH v3] fetch2: Add BB_ALLOWED_NETWORKS support
2015-06-15 14:03 ` Rifenbark, Scott M
@ 2015-06-15 21:47 ` Bernhard Reutner-Fischer
2015-06-16 8:40 ` Paul Eggleton
0 siblings, 1 reply; 22+ messages in thread
From: Bernhard Reutner-Fischer @ 2015-06-15 21:47 UTC (permalink / raw)
To: Rifenbark, Scott M, Gary Thomas,
bitbake-devel@lists.openembedded.org
Cc: Howlett, Liam (Wind River), Paul Eggleton
On June 15, 2015 4:03:11 PM GMT+02:00, "Rifenbark, Scott M" <scott.m.rifenbark@intel.com> wrote:
>Hi,
>
>Here is a first draft of documenting the BB_ALLOWED_NETWORKS variable
>in the BitBake User Manual. I re-wrote the original text to be active
>voice and applied some different organization of the facts to help the
>flow out. Regarding Gary's input about BB_NO_NETWORK..... I took a
>half guess at incorporating it. Please look this new description over
>and let me know of any corrections I need to make.
>http://www.yoctoproject.org/docs/1.9/bitbake-user-manual/bitbake-user-manual.html#var-BB_ALLOWED_NETWORKS.
Was the v3 fixed / extended to allow for netmasks, btw?
Think
/etc/hosts
foo.example.com 10.0.0.1
bar.example.com 10.0.0.254
baz.example.com ::1
BB_ALLOWED_NETWORKS = 10.0.0.0/24 1.1.1.1/31 ::1/127
Thanks,
^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: [PATCH v3] fetch2: Add BB_ALLOWED_NETWORKS support
2015-06-15 21:47 ` Bernhard Reutner-Fischer
@ 2015-06-16 8:40 ` Paul Eggleton
2015-06-16 13:42 ` Liam R. Howlett
0 siblings, 1 reply; 22+ messages in thread
From: Paul Eggleton @ 2015-06-16 8:40 UTC (permalink / raw)
To: Bernhard Reutner-Fischer
Cc: Howlett, Liam (Wind River), bitbake-devel@lists.openembedded.org,
Gary Thomas
On Monday 15 June 2015 23:47:29 Bernhard Reutner-Fischer wrote:
> On June 15, 2015 4:03:11 PM GMT+02:00, "Rifenbark, Scott M"
<scott.m.rifenbark@intel.com> wrote:
> >Hi,
> >
> >Here is a first draft of documenting the BB_ALLOWED_NETWORKS variable
> >in the BitBake User Manual. I re-wrote the original text to be active
> >voice and applied some different organization of the facts to help the
> >flow out. Regarding Gary's input about BB_NO_NETWORK..... I took a
> >half guess at incorporating it. Please look this new description over
> >and let me know of any corrections I need to make.
> >http://www.yoctoproject.org/docs/1.9/bitbake-user-manual/bitbake-user-manua
> >l.html#var-BB_ALLOWED_NETWORKS.
> Was the v3 fixed / extended to allow for netmasks, btw?
> Think
> /etc/hosts
> foo.example.com 10.0.0.1
> bar.example.com 10.0.0.254
> baz.example.com ::1
>
> BB_ALLOWED_NETWORKS = 10.0.0.0/24 1.1.1.1/31 ::1/127
I don't believe so. You can see what actually went in here:
http://git.yoctoproject.org/cgit/cgit.cgi/poky/commit/?id=59ce7d02a57e0a642d839ab48677f6ac1886180f
Cheers,
Paul
--
Paul Eggleton
Intel Open Source Technology Centre
^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: [PATCH v3] fetch2: Add BB_ALLOWED_NETWORKS support
2015-06-16 8:40 ` Paul Eggleton
@ 2015-06-16 13:42 ` Liam R. Howlett
2015-06-16 15:25 ` Rifenbark, Scott M
0 siblings, 1 reply; 22+ messages in thread
From: Liam R. Howlett @ 2015-06-16 13:42 UTC (permalink / raw)
To: Paul Eggleton; +Cc: bitbake-devel@lists.openembedded.org, Gary Thomas
* Paul Eggleton <paul.eggleton@linux.intel.com> [150616 04:40]:
> On Monday 15 June 2015 23:47:29 Bernhard Reutner-Fischer wrote:
> > On June 15, 2015 4:03:11 PM GMT+02:00, "Rifenbark, Scott M"
> <scott.m.rifenbark@intel.com> wrote:
> > >Hi,
> > >
> > >Here is a first draft of documenting the BB_ALLOWED_NETWORKS variable
> > >in the BitBake User Manual. I re-wrote the original text to be active
> > >voice and applied some different organization of the facts to help the
> > >flow out. Regarding Gary's input about BB_NO_NETWORK..... I took a
> > >half guess at incorporating it. Please look this new description over
> > >and let me know of any corrections I need to make.
> > >http://www.yoctoproject.org/docs/1.9/bitbake-user-manual/bitbake-user-manua
> > >l.html#var-BB_ALLOWED_NETWORKS.
Hi,
The documentation looks correct, however it might be worth noting that
adding the host you'd like to use to PREMIRROR will result in the source
code being fetched from an allowed location and avoid raising an error
when a host that is not allowed is in a SRC_URI because the fetcher will
not attempt to use the SRC_URI host after a successful fetch from the
PREMIRROR. Using BB_ALLOWED_NETWORK in conjunction with PREMIRROR is
where this feature is very useful.
> > Was the v3 fixed / extended to allow for netmasks, btw?
> > Think
> > /etc/hosts
> > foo.example.com 10.0.0.1
> > bar.example.com 10.0.0.254
> > baz.example.com ::1
> >
> > BB_ALLOWED_NETWORKS = 10.0.0.0/24 1.1.1.1/31 ::1/127
>
> I don't believe so. You can see what actually went in here:
>
> http://git.yoctoproject.org/cgit/cgit.cgi/poky/commit/?id=59ce7d02a57e0a642d839ab48677f6ac1886180f
>
> Cheers,
> Paul
There isn't netmask support, but you can achieve the same result in
your example above by using BB_ALLOWED_NETWORKS = "*.example.com"
Version 2 updated the host matching and added a few more tests.
Version 3 changed the name from BB_TRUSTED_NETWORKS to
BB_ALLOWED_NETWORKS.
Thanks,
Liam R. Howlett
>
> --
>
> Paul Eggleton
> Intel Open Source Technology Centre
^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: [PATCH v3] fetch2: Add BB_ALLOWED_NETWORKS support
2015-06-16 13:42 ` Liam R. Howlett
@ 2015-06-16 15:25 ` Rifenbark, Scott M
2015-06-16 19:24 ` Liam R. Howlett
0 siblings, 1 reply; 22+ messages in thread
From: Rifenbark, Scott M @ 2015-06-16 15:25 UTC (permalink / raw)
To: Howlett, Liam (Wind River), Paul Eggleton
Cc: bitbake-devel@lists.openembedded.org, Gary Thomas
>-----Original Message-----
>From: Liam R. Howlett [mailto:Liam.Howlett@windriver.com]
>Sent: Tuesday, June 16, 2015 6:42 AM
>To: Paul Eggleton
>Cc: Bernhard Reutner-Fischer; Rifenbark, Scott M; Gary Thomas; bitbake-
>devel@lists.openembedded.org
>Subject: Re: [bitbake-devel] [PATCH v3] fetch2: Add
>BB_ALLOWED_NETWORKS support
>
>* Paul Eggleton <paul.eggleton@linux.intel.com> [150616 04:40]:
>> On Monday 15 June 2015 23:47:29 Bernhard Reutner-Fischer wrote:
>> > On June 15, 2015 4:03:11 PM GMT+02:00, "Rifenbark, Scott M"
>> <scott.m.rifenbark@intel.com> wrote:
>> > >Hi,
>> > >
>> > >Here is a first draft of documenting the BB_ALLOWED_NETWORKS
>> > >variable in the BitBake User Manual. I re-wrote the original text
>> > >to be active voice and applied some different organization of the
>> > >facts to help the flow out. Regarding Gary's input about
>> > >BB_NO_NETWORK..... I took a half guess at incorporating it. Please
>> > >look this new description over and let me know of any corrections I need
>to make.
>> > >http://www.yoctoproject.org/docs/1.9/bitbake-user-manual/bitbake-us
>> > >er-manua
>> > >l.html#var-BB_ALLOWED_NETWORKS.
>
>Hi,
>
>The documentation looks correct, however it might be worth noting that
>adding the host you'd like to use to PREMIRROR will result in the source code
>being fetched from an allowed location and avoid raising an error when a host
>that is not allowed is in a SRC_URI because the fetcher will not attempt to use
>the SRC_URI host after a successful fetch from the PREMIRROR. Using
>BB_ALLOWED_NETWORK in conjunction with PREMIRROR is where this
>feature is very useful.
Check the link to the variable description out now Liam. Let me know if this addition is okay.
>
>
>> > Was the v3 fixed / extended to allow for netmasks, btw?
>> > Think
>> > /etc/hosts
>> > foo.example.com 10.0.0.1
>> > bar.example.com 10.0.0.254
>> > baz.example.com ::1
>> >
>> > BB_ALLOWED_NETWORKS = 10.0.0.0/24 1.1.1.1/31 ::1/127
>>
>> I don't believe so. You can see what actually went in here:
>>
>> http://git.yoctoproject.org/cgit/cgit.cgi/poky/commit/?id=59ce7d02a57e
>> 0a642d839ab48677f6ac1886180f
>>
>> Cheers,
>> Paul
>
>
>There isn't netmask support, but you can achieve the same result in your
>example above by using BB_ALLOWED_NETWORKS = "*.example.com"
>
>Version 2 updated the host matching and added a few more tests.
>
>Version 3 changed the name from BB_TRUSTED_NETWORKS to
>BB_ALLOWED_NETWORKS.
>
>
>Thanks,
>Liam R. Howlett
>
>>
>> --
>>
>> Paul Eggleton
>> Intel Open Source Technology Centre
^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: [PATCH v3] fetch2: Add BB_ALLOWED_NETWORKS support
2015-06-16 15:25 ` Rifenbark, Scott M
@ 2015-06-16 19:24 ` Liam R. Howlett
2015-06-16 19:25 ` Rifenbark, Scott M
0 siblings, 1 reply; 22+ messages in thread
From: Liam R. Howlett @ 2015-06-16 19:24 UTC (permalink / raw)
To: Rifenbark, Scott M
Cc: Paul Eggleton, bitbake-devel@lists.openembedded.org, Gary Thomas
* Rifenbark, Scott M <scott.m.rifenbark@intel.com> [150616 11:25]:
>
>
> >-----Original Message-----
> >From: Liam R. Howlett [mailto:Liam.Howlett@windriver.com]
> >Sent: Tuesday, June 16, 2015 6:42 AM
> >To: Paul Eggleton
> >Cc: Bernhard Reutner-Fischer; Rifenbark, Scott M; Gary Thomas; bitbake-
> >devel@lists.openembedded.org
> >Subject: Re: [bitbake-devel] [PATCH v3] fetch2: Add
> >BB_ALLOWED_NETWORKS support
> >
> >* Paul Eggleton <paul.eggleton@linux.intel.com> [150616 04:40]:
> >> On Monday 15 June 2015 23:47:29 Bernhard Reutner-Fischer wrote:
> >> > On June 15, 2015 4:03:11 PM GMT+02:00, "Rifenbark, Scott M"
> >> <scott.m.rifenbark@intel.com> wrote:
> >> > >Hi,
> >> > >
> >> > >Here is a first draft of documenting the BB_ALLOWED_NETWORKS
> >> > >variable in the BitBake User Manual. I re-wrote the original text
> >> > >to be active voice and applied some different organization of the
> >> > >facts to help the flow out. Regarding Gary's input about
> >> > >BB_NO_NETWORK..... I took a half guess at incorporating it. Please
> >> > >look this new description over and let me know of any corrections I need
> >to make.
> >> > >http://www.yoctoproject.org/docs/1.9/bitbake-user-manual/bitbake-us
> >> > >er-manua
> >> > >l.html#var-BB_ALLOWED_NETWORKS.
> >
> >Hi,
> >
> >The documentation looks correct, however it might be worth noting that
> >adding the host you'd like to use to PREMIRROR will result in the source code
> >being fetched from an allowed location and avoid raising an error when a host
> >that is not allowed is in a SRC_URI because the fetcher will not attempt to use
> >the SRC_URI host after a successful fetch from the PREMIRROR. Using
> >BB_ALLOWED_NETWORK in conjunction with PREMIRROR is where this
> >feature is very useful.
>
> Check the link to the variable description out now Liam. Let me know if this addition is okay.
This looks good!
Thanks,
Liam
>
> >
> >
> >> > Was the v3 fixed / extended to allow for netmasks, btw?
> >> > Think
> >> > /etc/hosts
> >> > foo.example.com 10.0.0.1
> >> > bar.example.com 10.0.0.254
> >> > baz.example.com ::1
> >> >
> >> > BB_ALLOWED_NETWORKS = 10.0.0.0/24 1.1.1.1/31 ::1/127
> >>
> >> I don't believe so. You can see what actually went in here:
> >>
> >> http://git.yoctoproject.org/cgit/cgit.cgi/poky/commit/?id=59ce7d02a57e
> >> 0a642d839ab48677f6ac1886180f
> >>
> >> Cheers,
> >> Paul
> >
> >
> >There isn't netmask support, but you can achieve the same result in your
> >example above by using BB_ALLOWED_NETWORKS = "*.example.com"
> >
> >Version 2 updated the host matching and added a few more tests.
> >
> >Version 3 changed the name from BB_TRUSTED_NETWORKS to
> >BB_ALLOWED_NETWORKS.
> >
> >
> >Thanks,
> >Liam R. Howlett
> >
> >>
> >> --
> >>
> >> Paul Eggleton
> >> Intel Open Source Technology Centre
^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: [PATCH v3] fetch2: Add BB_ALLOWED_NETWORKS support
2015-06-16 19:24 ` Liam R. Howlett
@ 2015-06-16 19:25 ` Rifenbark, Scott M
2015-06-16 22:16 ` Rifenbark, Scott M
0 siblings, 1 reply; 22+ messages in thread
From: Rifenbark, Scott M @ 2015-06-16 19:25 UTC (permalink / raw)
To: Howlett, Liam (Wind River)
Cc: Paul Eggleton, bitbake-devel@lists.openembedded.org, Gary Thomas
>-----Original Message-----
>From: Liam R. Howlett [mailto:Liam.Howlett@windriver.com]
>Sent: Tuesday, June 16, 2015 12:24 PM
>To: Rifenbark, Scott M
>Cc: Paul Eggleton; Bernhard Reutner-Fischer; Gary Thomas; bitbake-
>devel@lists.openembedded.org
>Subject: Re: [bitbake-devel] [PATCH v3] fetch2: Add
>BB_ALLOWED_NETWORKS support
>
>* Rifenbark, Scott M <scott.m.rifenbark@intel.com> [150616 11:25]:
>>
>>
>> >-----Original Message-----
>> >From: Liam R. Howlett [mailto:Liam.Howlett@windriver.com]
>> >Sent: Tuesday, June 16, 2015 6:42 AM
>> >To: Paul Eggleton
>> >Cc: Bernhard Reutner-Fischer; Rifenbark, Scott M; Gary Thomas;
>> >bitbake- devel@lists.openembedded.org
>> >Subject: Re: [bitbake-devel] [PATCH v3] fetch2: Add
>> >BB_ALLOWED_NETWORKS support
>> >
>> >* Paul Eggleton <paul.eggleton@linux.intel.com> [150616 04:40]:
>> >> On Monday 15 June 2015 23:47:29 Bernhard Reutner-Fischer wrote:
>> >> > On June 15, 2015 4:03:11 PM GMT+02:00, "Rifenbark, Scott M"
>> >> <scott.m.rifenbark@intel.com> wrote:
>> >> > >Hi,
>> >> > >
>> >> > >Here is a first draft of documenting the BB_ALLOWED_NETWORKS
>> >> > >variable in the BitBake User Manual. I re-wrote the original
>> >> > >text to be active voice and applied some different organization
>> >> > >of the facts to help the flow out. Regarding Gary's input about
>> >> > >BB_NO_NETWORK..... I took a half guess at incorporating it.
>> >> > >Please look this new description over and let me know of any
>> >> > >corrections I need
>> >to make.
>> >> > >http://www.yoctoproject.org/docs/1.9/bitbake-user-manual/bitbake
>> >> > >-us
>> >> > >er-manua
>> >> > >l.html#var-BB_ALLOWED_NETWORKS.
>> >
>> >Hi,
>> >
>> >The documentation looks correct, however it might be worth noting
>> >that adding the host you'd like to use to PREMIRROR will result in
>> >the source code being fetched from an allowed location and avoid
>> >raising an error when a host that is not allowed is in a SRC_URI
>> >because the fetcher will not attempt to use the SRC_URI host after a
>> >successful fetch from the PREMIRROR. Using BB_ALLOWED_NETWORK in
>> >conjunction with PREMIRROR is where this feature is very useful.
>>
>> Check the link to the variable description out now Liam. Let me know if this
>addition is okay.
>
>This looks good!
>
>Thanks,
>Liam
Awesome... I will get the commit into the Bitbake repo and then duplicate the entry in the YP ref-manual.
Thanks,
Scott
>
>>
>> >
>> >
>> >> > Was the v3 fixed / extended to allow for netmasks, btw?
>> >> > Think
>> >> > /etc/hosts
>> >> > foo.example.com 10.0.0.1
>> >> > bar.example.com 10.0.0.254
>> >> > baz.example.com ::1
>> >> >
>> >> > BB_ALLOWED_NETWORKS = 10.0.0.0/24 1.1.1.1/31 ::1/127
>> >>
>> >> I don't believe so. You can see what actually went in here:
>> >>
>> >> http://git.yoctoproject.org/cgit/cgit.cgi/poky/commit/?id=59ce7d02a
>> >> 57e
>> >> 0a642d839ab48677f6ac1886180f
>> >>
>> >> Cheers,
>> >> Paul
>> >
>> >
>> >There isn't netmask support, but you can achieve the same result in
>> >your example above by using BB_ALLOWED_NETWORKS =
>"*.example.com"
>> >
>> >Version 2 updated the host matching and added a few more tests.
>> >
>> >Version 3 changed the name from BB_TRUSTED_NETWORKS to
>> >BB_ALLOWED_NETWORKS.
>> >
>> >
>> >Thanks,
>> >Liam R. Howlett
>> >
>> >>
>> >> --
>> >>
>> >> Paul Eggleton
>> >> Intel Open Source Technology Centre
^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: [PATCH v3] fetch2: Add BB_ALLOWED_NETWORKS support
2015-06-16 19:25 ` Rifenbark, Scott M
@ 2015-06-16 22:16 ` Rifenbark, Scott M
0 siblings, 0 replies; 22+ messages in thread
From: Rifenbark, Scott M @ 2015-06-16 22:16 UTC (permalink / raw)
To: Rifenbark, Scott M, Howlett, Liam (Wind River)
Cc: Paul Eggleton, bitbake-devel@lists.openembedded.org, Gary Thomas
Ok - I am done with this thread. The description for BB_ALLOWED_NETWORKS is now in the BitBake User Manual and the YP Reference Manual. The commit has been pushed to my contrib area for bitbake and Richard has been notified.
Scott
>-----Original Message-----
>From: bitbake-devel-bounces@lists.openembedded.org [mailto:bitbake-
>devel-bounces@lists.openembedded.org] On Behalf Of Rifenbark, Scott M
>Sent: Tuesday, June 16, 2015 12:26 PM
>To: Howlett, Liam (Wind River)
>Cc: Paul Eggleton; bitbake-devel@lists.openembedded.org; Gary Thomas
>Subject: Re: [bitbake-devel] [PATCH v3] fetch2: Add
>BB_ALLOWED_NETWORKS support
>
>
>
>>-----Original Message-----
>>From: Liam R. Howlett [mailto:Liam.Howlett@windriver.com]
>>Sent: Tuesday, June 16, 2015 12:24 PM
>>To: Rifenbark, Scott M
>>Cc: Paul Eggleton; Bernhard Reutner-Fischer; Gary Thomas; bitbake-
>>devel@lists.openembedded.org
>>Subject: Re: [bitbake-devel] [PATCH v3] fetch2: Add
>BB_ALLOWED_NETWORKS
>>support
>>
>>* Rifenbark, Scott M <scott.m.rifenbark@intel.com> [150616 11:25]:
>>>
>>>
>>> >-----Original Message-----
>>> >From: Liam R. Howlett [mailto:Liam.Howlett@windriver.com]
>>> >Sent: Tuesday, June 16, 2015 6:42 AM
>>> >To: Paul Eggleton
>>> >Cc: Bernhard Reutner-Fischer; Rifenbark, Scott M; Gary Thomas;
>>> >bitbake- devel@lists.openembedded.org
>>> >Subject: Re: [bitbake-devel] [PATCH v3] fetch2: Add
>>> >BB_ALLOWED_NETWORKS support
>>> >
>>> >* Paul Eggleton <paul.eggleton@linux.intel.com> [150616 04:40]:
>>> >> On Monday 15 June 2015 23:47:29 Bernhard Reutner-Fischer wrote:
>>> >> > On June 15, 2015 4:03:11 PM GMT+02:00, "Rifenbark, Scott M"
>>> >> <scott.m.rifenbark@intel.com> wrote:
>>> >> > >Hi,
>>> >> > >
>>> >> > >Here is a first draft of documenting the BB_ALLOWED_NETWORKS
>>> >> > >variable in the BitBake User Manual. I re-wrote the original
>>> >> > >text to be active voice and applied some different organization
>>> >> > >of the facts to help the flow out. Regarding Gary's input
>>> >> > >about BB_NO_NETWORK..... I took a half guess at incorporating it.
>>> >> > >Please look this new description over and let me know of any
>>> >> > >corrections I need
>>> >to make.
>>> >> > >http://www.yoctoproject.org/docs/1.9/bitbake-user-manual/bitbak
>>> >> > >e
>>> >> > >-us
>>> >> > >er-manua
>>> >> > >l.html#var-BB_ALLOWED_NETWORKS.
>>> >
>>> >Hi,
>>> >
>>> >The documentation looks correct, however it might be worth noting
>>> >that adding the host you'd like to use to PREMIRROR will result in
>>> >the source code being fetched from an allowed location and avoid
>>> >raising an error when a host that is not allowed is in a SRC_URI
>>> >because the fetcher will not attempt to use the SRC_URI host after a
>>> >successful fetch from the PREMIRROR. Using BB_ALLOWED_NETWORK in
>>> >conjunction with PREMIRROR is where this feature is very useful.
>>>
>>> Check the link to the variable description out now Liam. Let me know
>>> if this
>>addition is okay.
>>
>>This looks good!
>>
>>Thanks,
>>Liam
>
>Awesome... I will get the commit into the Bitbake repo and then duplicate the
>entry in the YP ref-manual.
>
>Thanks,
>Scott
>
>>
>>>
>>> >
>>> >
>>> >> > Was the v3 fixed / extended to allow for netmasks, btw?
>>> >> > Think
>>> >> > /etc/hosts
>>> >> > foo.example.com 10.0.0.1
>>> >> > bar.example.com 10.0.0.254
>>> >> > baz.example.com ::1
>>> >> >
>>> >> > BB_ALLOWED_NETWORKS = 10.0.0.0/24 1.1.1.1/31 ::1/127
>>> >>
>>> >> I don't believe so. You can see what actually went in here:
>>> >>
>>> >> http://git.yoctoproject.org/cgit/cgit.cgi/poky/commit/?id=59ce7d02
>>> >> a
>>> >> 57e
>>> >> 0a642d839ab48677f6ac1886180f
>>> >>
>>> >> Cheers,
>>> >> Paul
>>> >
>>> >
>>> >There isn't netmask support, but you can achieve the same result in
>>> >your example above by using BB_ALLOWED_NETWORKS =
>>"*.example.com"
>>> >
>>> >Version 2 updated the host matching and added a few more tests.
>>> >
>>> >Version 3 changed the name from BB_TRUSTED_NETWORKS to
>>> >BB_ALLOWED_NETWORKS.
>>> >
>>> >
>>> >Thanks,
>>> >Liam R. Howlett
>>> >
>>> >>
>>> >> --
>>> >>
>>> >> Paul Eggleton
>>> >> Intel Open Source Technology Centre
>--
>_______________________________________________
>bitbake-devel mailing list
>bitbake-devel@lists.openembedded.org
>http://lists.openembedded.org/mailman/listinfo/bitbake-devel
^ permalink raw reply [flat|nested] 22+ messages in thread
end of thread, other threads:[~2015-06-16 22:16 UTC | newest]
Thread overview: 22+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2015-03-31 18:39 [PATCH] fetch2: Add BB_TRUSTED_NETWORK support Liam R. Howlett
2015-03-31 18:39 ` Liam R. Howlett
2015-04-15 18:17 ` [PATCH v2] " Liam R. Howlett
2015-04-15 18:17 ` Liam R. Howlett
2015-04-16 17:06 ` [PATCH v3] fetch2: Add BB_ALLOWED_NETWORKS support Liam R. Howlett
2015-04-16 17:23 ` Liam R. Howlett
2015-05-12 11:17 ` Richard Purdie
2015-05-12 14:28 ` Liam R. Howlett
2015-06-15 13:28 ` Paul Eggleton
2015-06-15 13:30 ` Rifenbark, Scott M
2015-06-15 13:38 ` Gary Thomas
2015-06-15 14:03 ` Rifenbark, Scott M
2015-06-15 21:47 ` Bernhard Reutner-Fischer
2015-06-16 8:40 ` Paul Eggleton
2015-06-16 13:42 ` Liam R. Howlett
2015-06-16 15:25 ` Rifenbark, Scott M
2015-06-16 19:24 ` Liam R. Howlett
2015-06-16 19:25 ` Rifenbark, Scott M
2015-06-16 22:16 ` Rifenbark, Scott M
2015-04-15 19:37 ` [PATCH] fetch2: Add BB_TRUSTED_NETWORK support Christopher Larson
2015-04-15 19:42 ` Bernhard Reutner-Fischer
2015-04-16 14:16 ` Liam R. Howlett
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.