On Wed Feb 18, 2026 at 10:28 PM CET, Peter Marko wrote: > > >> -----Original Message----- >> From: Yoann Congal <[email protected]> >> Sent: Wednesday, February 4, 2026 11:10 >> To: Marko, Peter (FT D EU SK BFS1) <[email protected]>; >> [email protected] >> Subject: Re: [OE-core][scarthgap][PATCH] gnupg: upgrade 2.4.8 -> 2.4.9 >> >> On Sat Jan 10, 2026 at 11:44 PM CET, Peter Marko via lists.openembedded.org >> wrote: >> > From: Peter Marko <[email protected]> >> > >> > Handles CVE-2025-68973. >> > >> > Refresh patches. >> > >> > Signed-off-by: Peter Marko <[email protected]> >> > --- >> > meta/recipes-support/gnupg/gnupg/relocate.patch | 14 +++++++------- >> > .../gnupg/{gnupg_2.4.8.bb => gnupg_2.4.9.bb} | 2 +- >> > 2 files changed, 8 insertions(+), 8 deletions(-) >> > rename meta/recipes-support/gnupg/{gnupg_2.4.8.bb => gnupg_2.4.9.bb} >> (97%) >> >> Hello, >> >> I've tested that on autobuilder but got an error in oe-selftest-debian: >> https://autobuilder.yoctoproject.org/valkyrie/?#/builders/35/builds/3138 >> ERROR: autoconf-native-2.72e-r0 do_recipe_qa: GPG exited with code 2: gpg: >> signing failed: Corrupted protection >> gpg: signing failed: Corrupted protection >> ERROR: patch-native-2.7.6-r0 do_recipe_qa: GPG exited with code 2: gpg: >> signing failed: Corrupted protection >> gpg: signing failed: Corrupted protection >> >> I've started a build with this gnupg upgrade reverted to confirm that >> this is indeed the cause: >> https://autobuilder.yoctoproject.org/valkyrie/?#/builders/35/builds/3142 >> >> Can you look at this? >> Thanks! > > Unfortunately, I'm not able to reproduce this failure. > > On my Debian 11 I have: > SANITY_TESTED_DISTROS = "" > PACKAGE_CLASSES = "package_rpm" > RPM_GPG_SIGN_CHUNK = "1" > IMAGE_CLASSES += 'testimage' > And run: > oe-selftest -r signing -j 16 > And get: > oe-selftest - INFO - RESULTS - > signing.LockedSignatures.test_locked_signatures: PASSED (122.35s) > oe-selftest - INFO - RESULTS - signing.Signing.test_signing_packages: PASSED > (155.34s) > oe-selftest - INFO - RESULTS - signing.Signing.test_signing_sstate_archive: > PASSED (121.11s) > oe-selftest - INFO - oe-selftest - OK - All required tests passed > (successes=3, skipped=0, failures=0, errors=0)
FYI, the failing build: https://autobuilder.yoctoproject.org/valkyrie/?#/builders/35/builds/3138 ... was on Debian 12 (It's the retry with this patch reverted that was on Debian 11) Scarthgap has since been successfully retried on Debian 12 (without this patch): https://autobuilder.yoctoproject.org/valkyrie/?#/builders/35/builds/3226 Can you check this on Debian 12? Thanks! > So I guess I just backport the CVE fix instead of this upgrade. > > Peter > >> >> Regards, >> >> -- >> Yoann Congal >> Smile ECS -- Yoann Congal Smile ECS
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#231426): https://lists.openembedded.org/g/openembedded-core/message/231426 Mute This Topic: https://lists.openembedded.org/mt/117199147/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
